Definitions and Properties of Zero-Knowledge Proof

DEFINITIONS AND PROPERTIES OF

ZEROKNOWLEDGE PROOF SYSTEMS

Oded Goldreich

Yair Oren

Department Of Computer Science

Technion Haifa Israel

Abstract

In this pap er we investigate some prop erties of zeroknowledge pro ofs a notion

introduced by Goldwasser Micali and Racko We introduce and classify two deni

tions of zeroknowledge auxil iar y input zeroknowledge and bl ack box simul ation

zeroknowledge We explain why auxiliaryinput zeroknowledge is a denition more

suitable for cryptographic applications than the original GMR denition In partic

ular we show that any proto col solely comp osed of subproto cols which are auxiliary

input zeroknowledge is itself auxiliaryinput zeroknowledge We show that blackbox

simulation zeroknowledge implies auxiliaryinput zeroknowledge which in turn implies

the GMR denition We argue that all known zeroknowledge pro ofs are in fact

blackboxsimulation zeroknowledge ie were proved zeroknowledge using blackbox

simulation of the verier As a result all known zeroknowledge pro of systems are

shown to b e auxiliaryinput zeroknowledge and can b e used for cryptographic appli

cations such as those in GMW We demonstrate the triviality of certain classes of

zeroknowledge pro of systems in the sense that only languages in BPP have zero

knowledge pro ofs of these classes In particular we show that any language having

a Las Vegas zeroknowledge pro of system necessarily b elongs to RP We show that

randomness of b oth the verier and the prover and nontriviality of the interaction are

essential prop erties of nontrivial auxiliaryinput zeroknowledge pro ofs

Preliminary versions of this work have app eared in O O

WARNING The current text was automatio cally translated from old tro les Such

translations may introduce errors Furthermore Im not sure whether the source tro les

Ive found are actually the onesw corresp onding to the nal version Errors may b e due to

this fact to o The nal version has app eared in Journal of Cryptology Vol No

INTRODUCTION The fundamental notion of zeroknowledge was introduced by

Goldwasser Micali and Racko in GMR They considered a setting where a p owerful

pr ov er is proving a theorem to a probabilistic p olynomial time v er if ier Intuitively a pro of

system is considered zeroknowledge if whatever the verier can compute while interacting

with the prover it can compute by itself without going through the proto col The intriguing

nature of this notion has raised considerable interest and many questions to b e answered

Zeroknowledge pro ofs are of wide applicability in the eld of cryptographic proto cols as

demonstrated by Goldreich Micali and Wigderson in GMW GMW In this pap er

we investigate some asp ects of these pro of systems We present new denitions of zero

knowledge discuss their imp ortance and investigate their relative p ower In the second

part of the pap er we demonstrate that certain prop erties are essential to zero knowledge

interactive pro ofs

Denitional issues The original denition of zeroknowledge was presented in

GMR This denition do es not seem to fully capture the intuitive meaning of the concept

of zeroknowledge For one thing one would exp ect that the sequential application com

p osition of proto cols each of which is zeroknowledge would yield a proto col which is itself

zeroknowledge in the same manner that summing any nite number of zeros would leave

the total at zero However as claimed by FS and recently shown in GK such a com

p osition theorem cannot b e proved for the GMR denition Another problem with this

denition concerns its applicability to cryptographic proto cols Typically zeroknowledge

pro of systems will b e used as subproto cols within larger cryptographic proto cols In such

a scenario it is natural that a dishonest party a cheating verier in the zeroknowledge

terminology will compute its messages based on information acquired before the pro of pro

to col b egan p ossibly from earlier stages of the proto col in which the zeroknowledge pro of

is a subproto col We would like to require that even this additional information will not

enable the verier to obtain any knowledge from its interaction with the prover This is

not guaranteed by the original denition In an eort to overcome these problems we

formulate the denition referred to as auxil iar y input zeroknowledge Intuitively the

denition requires that whatever a verier that has access to any information can compute

when interacting with the prover it can also compute by itself when having access to the

same information Apart from dealing with veriers that cheat by means of using outside

information the prop osed denition also enables us to prove a comp osition theorem The

fact that auxiliaryinput zeroknowledge is closed under comp osition is crucial for the use of

zeroknowledge pro ofs in mo dular design of cryptographic proto cols In GMW a compiler

is presented that transforms any proto col correct in a weak adversarial mo del to a proto col

correct in the strongest adversarial mo del The existence of such a compiler relies heavily

on the existence of auxiliaryinput zeroknowledge pro ofs for every language in NP On

the other hand the ability to derive such a strong result indicates that the auxiliaryinput

zeroknowledge denition is suitable for cryptographic purp oses The requirements of the

auxiliaryinput denition may seem very restrictive However all known zeroknowledge

pro of systems eg GMR GMW satisfy even a seemingly much stricter denition

All these proto cols were proved zeroknowledge by presenting one algorithm that uses any

verier as a blackbox to simulate the interaction of that verier with the prover In fact

it is hard to conceive an alternative way to prove a proto col zeroknowledge We therefore

present the denition of bl ack box simul ation zeroknowledge which formalizes this re

quirement We show that blackboxsimulation zeroknowledge implies auxiliaryinput zero

knowledge As a result all known zeroknowledge pro ofs are auxiliaryinput zeroknowledge

and can b e used for cryptographic purp oses such as those in GMW

Remark The fact that the GMR denition is not closed under comp osition and that

nonuniform veriers could b e used to overcome this problem was observed indep endently

by Goldwasser Micali and Racko GMR Tompa and Woll TW and Feige and Shamir

Essential Prop erties of ZeroKnowledge Other results in this pap er concern the

tr iv ial ity of certain classes of zeroknowledge pro of systems We will consider a class of

pro of systems tr iv ial in this context if only languages in BPP can have zero knowledge

pro of systems of this type The reason b eing that any BPP language has a trivial zero

knowledge pro of one in which the verier checks by himself whether x L or not Proving

the triviality of some class of pro of systems can b e thought of as demonstrating that some

prop erty which this class lacks is essential to zeroknowledge In particular we show that

any language L p ossessing a Las Vegas zeroknowledge pro of system ie a pro of system

that never causes the verier to accept on x L is in Random Polynomial Time It follows

that the error probability on no instances existing in all known zeroknowledge pro ofs is

inevitable and essential to the nontriviality of these pro of systems It is interesting to note

that Las Vegas interactive pro ofs can exist only for languages in NP see GMS It is easy to

see that the class of languages for which membership can b e proved by a deterministic prover

equals that for which membership can b e proved by a probabilistic prover We can consider

an optimal prover ie one which always maximizes the acceptance probability This prover

computes in each case the b est p ossible messages and can clearly b e deterministic Thus

randomness of the prover is not essential to the p ower of interactive pro of systems as far

as language recognition is concerned On the other hand in all pro of systems shown to

b e zeroknowledge the prover is pr obabil istic and this prop erty seems essential to the

zeroknowledgeness of these pro of systems We show that this is no coincidence only

languages in BPP can have auxiliaryinput zeroknowledge interactive pro ofs in which

the prover is deterministic and therefore randomness of the prover is essential to the non

triviality of the pro of system We thus demonstrate a meaningful dierence b etween general

interactive pro ofs and zeroknowledge interactive pro ofs Just as an error probability on

no instances and randomness b oth of the prover and the verier are essential to zero

knowledge pro of systems so is the nontriviality of the interaction It can b e easily shown

that only languages in BPP can have step interactive pro ofs which are zeroknowledge

We show that the same holds for step zeroknowledge pro of systems under the auxiliary

input denition Aiello and Hastad AH proved that relative to some oracle A

A A

S tepZ er o K now l edg e BPP Their pro of hold for the original GMR denition

actually for a stronger denition see AH The pro of presents a step proto col which is a

zeroknowledge interactive pro of system for some language L but such that L BPP

A A

Since the prover in the proto col is deterministic the result can also b e interpreted as

A A

D eter ministic P r ov er Z er o K now l edg e BPP Our pro ofs for the step and

deterministic prover cases b oth holding for auxiliaryinput zeroknowledge relativize and

we can therefore conclude that neither will extend to the GMR denition Note that

step proto cols and deterministicprover proto cols can b e zeroknowledge with resp ect

to the presp ecied verier V eg the step proto cols for Quadratic NonResiduosity

GMR and Graph NonIsomorphism GMW Therefore unlike Fortnow F and Aiello

and Hastad AH who actually rely only on the fact that the presp ecied verier V has

a simulator we must in this case make use of the f ul l p ower of the denition of zero

knowledge sp ecically the requirement that there exist simulators for al l veriers including

the cheaters Our results extend to zeroknowledge arguments introduced in BCC Zero

knowledge arguments dier from zeroknowledge interactive pro ofs which are the main topic

of our investigations in that the former have a relaxed soundness condition rather than

requiring that it is impossible to fo ol the verier into b elieving false statements it is only

required that cheating the verier is computationally infeasible

Remark We stress that if oneway functions exist then every language in IP

P S P AC E has a zeroknwoledge pro of system GMWIYS These pro of systems have all

the essential prop erties discussed ab ove Hence there seems to b e a big diernce b etween

pro of systems p ossesing these prop erties and those lacking them

Organization of the Paper Section contains some basic denitions and also an ex

tension of the notion of polynomial indistinguishability which is required for the denitions

presented in section In section we present our new denitions of zeroknowledge and

investigate their relative p ower We also prove the comp osition prop erty of auxiliaryinput

zeroknowledge in that section Section contains our triviality results

NOTATION AND BASIC DEFINITIONS Let S b e a set By e S we mean

that an element e is chosen at random from the set S with uniform probability distribution

When describing a proto col b etween two parties A and B we will write

action

to mean party A p erforms some internal action computation and

A B m

to mean that A sends message m to B We recall the denition of interactive proof systems

GMR An alternative denition due to Babai B was shown equivalent by Goldwasser

and Sipser GS An interactive pro of system for a language L is a proto col ie a pair

of lo cal programs for two probabilistic interactive machines called the pr ov er and the

v er if ier Initially b oth machines have access to a common input tap e The two machines

send messages to one another through two communication tap es Each machine only sees its

own tap es the common input tap e and the communication tap es The verier is b ounded

to a number of steps which is p olynomial in the length of the common input after which

it stops in an accept state or in a r ej ect state We imp ose no restrictions on the lo cal

computation conducted by the prover We require that whenever the verier is following

its predetermined program V the following two conditions hold

Completeness of the interactive proof system If the prover runs its predetermined

program P then for every constant c and large enough x L the verier accepts

the common input x with probability at least jxj In other words the prover

can convince the verier of x L

Soundness of the interactive proof system For every program P run by the prover

for every constant c and large enough x L the verier rejects x with probability

at least jxj In other words the prover cannot fo ol the verier

An interactive pro of system having P V as programs will b e denoted P V

Denition A t step interactive pro of system is one in which a total of t messages is sent

by the two parties Without loss of generality we assume that the last message sent during

an interactive pro of is sent by the prover A last message sent by the verier can have no

role in convincing the verier and therefore has absolutely no eect Thus the prover sends

the last and only message in a step interactive pro of while in a step proto col the verier

sends a message rst followed by a resp onse from the prover The notion of polynomial

indistinguishability of probability distributions is used in the denitions of zeroknowledge

discussed in the next section We extend the original GM Y denition for the case of

probability distributions indexed by two parameters which are treated dierently This

extension is required for the formal denition of auxiliaryinput zeroknowledge presented

in a later section In that case x will b e the common input to the proto col while y will b e

the auxiliary input to the verier

D xy

Denition p olynomial indistinguishability For every algorithm A let p denote the

probability that A outputs on input x y an element chosen according to the probability

distribution D x y Denote by D om the domain from which the pairs x y are chosen The

distribution ensembles fD x y g and fD x y g are polynomially indistin

xy D om xy D om

guishable if for every probabilistic algorithm A which runs time p olynomial in the length

of its input for every constant c there exists N such that for every x jxj N and for

every y such that x y D om

D xy D xy

p j jxj jp

A A

Note that we do not put any restrictions on the length of y and in particular we dont require

jy jN The original denition is obtained from the ab ove denition by omitting all mention

of y We will o ccasionally avoid sp ecifying the domain and write fD x y g instead of

fD x y g Two distribution ensembles fD x y g and fD x y g are

xy D om xy D om xy D om

NOT p olynomially indistinguishable if there exist a probabilistic p olynomial time algorithm

A a constant c and an innite sequence S eq of xs such that for every x S eq there

exist some y such that x y D om and

D xy D xy

p p jxj

A A

Denition Let c b e a constant and let D x y and D x y b e probability distributions

over strings of length n We say that an algorithm A cdistinguishes b etween D x y and

D x y if

D xy D xy

p p

A A

Remark Throughout this pap er we use the phrases with very high probability

with non negligible probability and so on to describ e the b ehavior of algorithms The

formal interpretation of the statement the algorithm b ehaves this way with very high prob

ability should b e taken to b e the probability that the algorithm b ehaves this way on input

n for any p ositive p olynomial Q and suciently large of length n is greater than

n Accordingly negligible probability is less than n for any p ositive p olynomial

Q and suciently large n and nonnegligible probability means greater than n for

some p olynomial Q and suciently large n For convenience we will say that a function

pn is cnonnegligible where c if pn for innitely many ns

A TAXONOMY OF ZEROKNOWLEDGE DEFINITIONS In this section

we present two alternative denitions of the notion of zeroknowledge and investigate the

relationship b etween them We start by dening history descriptions and recalling the

original zeroknowledge denition of GMR

Denition A history description of a conversation b etween a machine V and the prover

P consists of the contents of all of V s readonly tap es common input random input and

in the case of auxiliaryinput zeroknowledge also the auxiliary input and of the sequence

of messages sent by the prover during the interaction We use x r m x y r m to denote

history descriptions where x is the common input y the auxiliary input r the random

input to the verier and m the sequence of messages sent by the prover We denote by

P x V x P x V x y the probability distribution of history descriptions generated

by the interaction of V with P on x L

Denition GMR An interactive pro of system for a language L is zeroknowledge if

for all probabilistic p olynomialtime machines V there exists a probabilistic p olynomial

time algorithm M that on input x pro duces a probability distribution M x such that

V V

M x and Px V x are p olynomially indistinguishable

xL xL

Remark If we require that the ab ove two probability distributions b e equal we obtain

the denition referred to as perfect zeroknowledge If we require them to b e statisticly close

we obtain almostperfect zeroknowledge The denitions originate from GMR and were

named as ab ove in F

Remark In the denition ab ove we required M to simulate the histor y of V s

interaction with P An alternative denition is to require M to generate the output of

V when interacting with P Clearly the output of V is determined given the histor y

and therefore simulating the history is at least as hard as simulating the output The

converse may not b e true for a sp ecic verier in particular for V the honest verier

However since for every verier V there exists a verier V whose output is the histor y

of the interaction of V with P it follows that when quantifying over all veriers the two

formalizations are equivalent We will b e using the historybased notion of zeroknowledge

throughout this pap er

New Denitions The rst denition to b e considered is motivated by cryptographic

applications and will b e referred to as the Auxiliary Input ZeroKnowledge denition Let

us elab orate on this motivation Zeroknowledge interactive pro ofs are a p owerful to ol in

the design of cryptographic proto cols Typically they will b e used by a party to prove

that it is computing its messages according to the proto col It is crucial that these pro ofs

are carried out without yielding the provers secrets In such a scenario it seems natural to

assume that an adversarial party playing the role of the verier will try to gain knowledge

of interest to it In order to do so the adversary may deviate from the sp ecied program and

compute its messages in a manner suited to its goals Most probably it will want to base

the computation of its messages on previously acquired information p ossibly from earlier

stages of the proto col in which the zeroknowledge pro of is a subproto col Intuitively we

will require that the pro of system b e such that even having this additional information

cannot enable any V to extract from its conversations with P anything that it could not

compute by itself having that same information To allow this p ossibility the interactive

pro of and zeroknowledge denitions introduced in GMR should b e mo died so that the

verier can have an auxiliary input tap e through which the information that enables the

verier to compute the desired messages will b e entered

Denition Auxiliaryinput ZeroKnowledge An interactive pro of system for a language

L is auxiliaryinput zeroknowledge if for every probabilistic p olynomial time machine V

such that the distribution en there exists a probabilistic p olynomial time machine M

x y g are p olynomially indistinguishable sembles fP x V x y g and fM

xy D xy D V

1 1

where D fx y jx L y f g g Note that by saying that V is p olynomialtime

we mean that its running time is b ounded by a p olynomial in the length of the common

input Machine V has an additional input tap e containing the auxiliary input y During

an interaction of V on common input x machine V reads at most a pol y xlong prex

of its auxiliary input A similar convention holds for the simulator M ie its running

time is p olynomial in the length of its rst input and consequently it may only read a

prex of the second input The second denition we consider will b e referred to as Blackbox

Simulation ZeroKnowledge This denition requires the existence of a single p olynomial

time machine M which simulates the interaction of any p olynomial time machine V with

the prover P on any x L using V as a blackbox What do we mean by use V as a

blackbox A probabilistic algorithm in general can b e viewed either as an algorithm which

internally tosses coins or as a deter ministic algorithm that has two inputs a regular input

and a random input Two corresp onding interpretations of using a probabilistic algorithm

as a blackbox follow In the rst case it means choosing an input and running the algo

rithm while the algorithm internally ips its coins In the second case it means choosing

b oth inputs and running the algorithm the second input serves as the outcome of random

coin tosses Both these approaches extend naturally to probabilistic algorithms which also

interact with other machines as in our case We choose to adopt the second approach

that is when using V as a blackbox the simulator M will choose b oth inputs to V All

known zeroknowledge proto cols were proved zeroknowledge using this approach It is not

clear if they could also b e proved zeroknowledge when adopting the rst approach

x the running Denition Blackbox Simulation ZeroKnowledge Denote by T ime

time of machine V when interacting with P on input x An interactive pro of system for a

language L is blackbox simulation zeroknowledge if there exists a probabilistic p olynomial

time machine M such that for every p olynomial Q the distribution ensembles fP x V xg

u xV D

xg are p olynomially indistinguishable even when the distinguishers are and fM

x V D

u 2

x Qxg allowed blackbox access to V where D fx V jx L and T ime

All known zeroknowledge proto cols are in fact blackboxsimulation zeroknowledge It

seems likely that in order to prove an interactive pro of system zeroknowledge with resp ect

to any verier V one would have to present such a universal simulator Thus this

denition is reasonable and not to o restrictive

Remark In remark of this section we claimed that the historybased and the

outputbased versions of the GMR zeroknowledge denitions are equivalent This

claim was established by p ointing out that the distinguisher given a history description

can generate V s output by using a builtin version of V The same reasoning holds for

the auxiliaryinput denition However the distinguishers in the case of blackboxsimulation

cannot have a builtin version of what may b e an innite number of V s Therefore one

must allow the distinguishers running on a history description of an interaction by some

machine V blackbox access to V This will clearly allow the distinguisher to reconstruct

V s output given the history of the interaction

Remark We stress that saying that P V is an auxiliary input zeroknowledge pro of

system do es not mean that the honest verier V may use auxiliary input as a legitimate

stage in its op eration it may not Rather we mean that the prover do es not reveal

knowledge even to cheating veriers which do use an auxiliary input

Relationship Between the Denitions Let C l def denote the class of all interactive

pro of systems satisfying the requirements of denition def The following relationships seem

rather obvious

Theorem

C l auxil iar y input C l GMR

C l bl ack box simul ation C l GMR

Pro of In b oth case and case the GMR denition is less restrictive than the other

denitions in terms of its requirements from the simulation In case the simulation is

required by the GMR denition to b e valid only when the auxiliaryinput is empty In

case the blackbox denition requires that all veriers b e simulated by one machine M

whereas the GMR denition allows each such verier to have its own sp ecially tailored

simulator 2

Next we establish the relationship b etween the two new denitions

Theorem C l bl ack box simul ation C l auxil iar y input

Pro of Let P V b e an interactive pro of system and assume P V C l bl ack boxsimul ation

That is there exists a p olynomial machine M such that for every x L and V machine M

u u

simulates the interaction of V with P on input x We show P V C l auxil ar y input

for every probabilistic p olynomial by demonstrating how to construct a simulator M

time V having auxiliary input For every V we construct M as follows Let Q b e a

x Qx The simulator M will b e a multipletape p olynomial such that xT ime

Turing machine It will have the co de of V builtin M will also have access to M the

V u

universal simulator guaranteed by the blackbox denition Given x and auxiliaryinput y

machine M incorp orates a prex of y of length Qx into the co de of V forming a

machine V On input x machine V b ehaves as follows it copies y to its input tap e and

y y

runs V x y Also up on receiving a message SEND AUXILIARY INPUT V sends a

message containing y this feature is not required by the simulation but will later b e used

by the distinguishers Having constructed V machine M now simulates the computa

It then outputs the output of M Observe tion of M while having the blackbox V

u u

must b e of the that the output of M will b e of the form x r m while the output of M

u V

form x y r m Therefore M adds y to the output of M

V u

Claim M x y runs time p olynomial in jxj as required by the denition of

auxiliaryinput zeroknowledge

Proof The time required to simulate one step of V x y is O jV j jy j The value of

jV j is constant as far as M is concerned and therefore one step requires O jy j Since y

was truncated to length Qjxj it follows that jy j O Qjxj We know that V x which

is essentially the same as V x y runs at most Qjxj steps All in all simulating the

computation of V x can b e achieved in time b ounded by some p olynomial Q jxj M

V V

simulates the computation of M having a blackbox V The number of steps required by

M is guaranteed to b e p olynomial in jxj when counting the activations of the blackbox V

is b ounded at unit cost Let Q jxj b e the running time of M The running time of M

M u V

by Q jxj Q jxj and is clearly p olynomial in jxj 2

M V

Claim The distribution ensemble fP x V x y g is p olynomially indistin

xy D

guishable from fM x y g where D fx y jx Lg

V xy D

Proof Assume there exist a constant c an algorithm A and an innite sequence S of pairs

x y D such that

xy M P xV xy

p x y S p

A A

jxj

We show that in such a case there exist a p olynomial Q an algorithm A and an innite

sequence S of pairs x V such that

V P xV x

x M

y y

S fx V j x L T ime x Qjxjg and x V S p p

y y

A P A

jxj

j x y contrary to the assumption that M is a valid blackbox simulator Let S fx V

is as describ ed ab ove Clearly S g where V

x V S T ime x Qjxj

We construct A the blackboxsimulation distinguisher as follows On input x r m and

a blackbox V recall that blackbox distinguishers have blackbox access to the veriers

to obtain y It then runs A rst sends a message SEND AUXILIARY INPUT to V

Ax y r m and outputs the outcome of this computation It is easy to see that A will

for which A distinguishes the corresp onding pair x y The distinguish for any pair x V

claim follows 2 This completes the pro of of Theorem 2

This is the most imp ortant result of this section due to its eect all known zero

knowledge proto cols having b een proved zeroknowledge under the blackbox simulation

denition are shown to b e auxiliaryinput zeroknowledge and as such can b e used for all

cryptographic applications such as GMW

Remark The relationships derived in the ab ove theorems hold also for perfect zero

know ledge and almostperfect zeroknowledge

Remark It follows from GK Thm that C l auxil iar y input C l GMR

We dont know whether C l auxil iar y input equals C l bl ack box simul ation The

following states clearly what is known

C l bl ack box simul ation C l auxil iar y input C l GMR

Pro of of the Sequential Comp osition Theorem for AuxiliaryInput Zero

Knowledge We rst dene the notion of a sequential comp osition of interactive pro of

systems

Denition Let P V P V b e interactive pro of systems for languages L L

k k

L resp ectively A seq uential composition of the k proto cols denoted P V is dened as

follows The common input to P V x will b e a string of the form x x x where

is a delimiter The execution of P V consists at stage i of P and V activating P and

V resp ectively as subroutines on x V accepts if all V s have accepted

i i i

In a similar manner we can dene concurrent comp ositions

Denition Let P V P V b e interactive pro of systems for languages L L L

k k k

resp ectively Without loss of generality assume that all proto cols are mstep proto cols A

concur r ent composition of the k proto cols P V is dened as follows P V will also b e an

mstep proto col The common input to P V x will b e a string of the form x x x

where is a delimiter The ith message in P V will consist of the ith message of P V

P V V accepts if all V s have accepted

k k

Remark Clearly the case in which a single proto col P V is iterated k times p ossi

bly on the same input x is merely a restricted version of the ab ove denitions in which

iP V P V and ix x It is easy to see that b oth comp ositions sequential and con

i i i

current constitute interactive pro ofs for L We now prove that a seq uential comp osition of

auxiliaryinput zeroknowledge proto cols yields a auxiliaryinput zeroknowledge proto col

Recently it was shown in GK that the same is not true for concurrent comp ositions

Remark In the following pro ofs k the number of proto cols is assumed to b e constant

We will later demonstrate how a slightly altered version of the pro of can b e applied in the

meaningful cases for which k is not a constant

Theorem Sequential Comp osition Theorem Let P V P V P V b e auxiliaryinput zeroknowledge pro of systems for

k k

languages L L L resp ectively Let L fx x x jix L g

i i

k k

Dene P V to b e the comp osition of P V P V P V Then P V is an

k k

auxiliaryinput zeroknowledge pro of system for L

Pro of It is easy to see that P V is an interactive pro of system for L We therefore

concentrate on showing that P V is auxiliaryinput zeroknowledge Recall that we are

using the historybased notion of zeroknowledge A history description in the case of

auxiliaryinput is of the form x y r m where y is the veriers auxiliary input r is the

veriers random string and m is the sequence of prover messages

The ob jective of the indented smallprint paragraphs throughout the pro of is to provide

insight and intuition to the otherwise rather formal pro of

In order to prove that P V is auxiliaryinput zeroknowledge we must show how to construct

a simulator M for each p olynomialtime probabilistic V We will assume without loss of

generality that V initially copies the contents of all its input tap es common input random

input auxiliary input to its work tap e and never attempts to access these tap es again

V s interaction with P can b e conceptually divided into V s interaction with P V s

interaction with P and so on Since the k individual proto cols are auxiliaryinput zero

which simulate the interaction M M knowledge there must exist machines M

V V V

of V with P P P resp ectively Basicly M will activate these simulators in

sequence However in order for the overall simulation to b e valid the initial state of V

This should b e its nal state in the simulation by M when b eing simulated by M

can b e achieved by giving V as its auxiliary input to the i th stage information

which will enable it to reconstruct the nal state of the ith stage Obviously we cannot

guarantee that any V will in fact b ehave as describ ed ab ove ie reconstruct its state

when having past history as its auxiliary input Therefore and instead of making any

technical assumptions on V we consider for every V a mo died verier V which will

exhibit the required b ehavior

As a rst step we will consider a verier V that has a builtin version of V and the following

additional prop erty On auxiliary input h where h x y r m is a history description of

V s interaction with the prover V brings its builtin version of V to the conguration

state worktape contents and head p osition corresp onding to this description and pro

ceeds from that p oint In particular if m the empty string and y is not itself a history

description then V only copies x y r to the work tap e of its builtin version of V and

then b ehaves like V Machine V actually always ignores its real random string In all

other senses V is exactly like V In particular for every x y the probability distribution

of prover messages sequences generated by running P x V x y is exactly that generated

by randomly choosing a string r and running P x V x x y r

Construction of the simulator for V Since the individual proto cols are assumed to b e

auxiliaryinput zeroknowledge there exists machines M M M which simulate

V V V

the history of V s interaction with P P P resp ectively The output pro duced by

M on input pair x h will b e of the form x h r m where r is V s random string which

is actually ignored in this simulation and m is the sequence of messages sent on b ehalf of

the prover Let s s denote the concatenation of strings s and s We now describ e M

On input x x x x and y machine M runs

choose random string r

h x y r

h M x h

k k k

m m m m

OUTPUT x y r m

is indeed a go o d simulator The m s are obtained from the h s We will now show that M

i i V

for P V

Lemma The distribution ensembles fM x y g where M is as describ ed ab ove

V xy V

and fP x V x y g are p olynomially indistinguishable

Proof Supp ose they are not That is there exists a constant c and a test A that for innitely

many pairs x y will cdistinguish b etween M x y and P x V x y

We will show that in such a case there exists another constant c and another test A that

for some i and for innitely many pairs x y cdistinguishes b etween M x y and

i i i i

P x V x y contrary to the assumption that M correctly simulates the history

i i i i

of V s interaction with P

We consider the following hybrids of the probability distributions M x y and P x V x y

The ith hybrid denoted H x y is dened by the following pro cess

choose a random string r

h x y r

h P x V x h

i i i i i

x h h M

i i i

h M x h

k k k

m m m m

OUTPUT x y r m

As b efore each h is of the form x h r m The extreme hybrids H and H corresp ond

i i i i k

to M x y and P x V x y resp ectively Clearly if we can cdistinguish b etween the

extreme hybrids then there must exist a constant c and two adjacent hybrids which can

b e cdistinguished say H and H It is not hard to see that for suciently large n c

i i

is approximately equal to c Let pr ef x y b e the probability distribution dened by the

pro cess

choose a random string r

h x y r

h P x V x h

i i i i i

OUTPUT h

Let h b e a string which may o ccur with nonzero probability in either of the distributions

M x h and P x V x h where h is a string assigned nonzero probability

i i i i i i i

by pr ef x y Any such string h will contain m m m and x y and r For strings h

i i

of this type we dene suf f h to b e the probability distribution generated by running

h M x h

i i

x h h M

i i i

h M x h

k k k

m m m m

OUTPUT x y r m

The distribution pr ef x y is actually a distribution on all the p ossible auxiliary inputs

to the ith stage given that the initial input is x and the initial auxiliary input is the

string y The distribution suf f can b e regarded as an op erator which on input a stage

i history applies the remaining k i simulation stages If the input to suf f comes

from M x h then the eect of suf f will corresp ond to a string coming from

i i i

H x y If the input comes from P x V x h then the eect of suf f will

i i i i i i

corresp ond to a string coming from H x y Our aim is to show that if x y are such

that A cdistinguishes b etween H x y and H x y then there exists some i and some

i i

h such that the A we construct will cdistinguish b etween b etween M x h and

P x V x h A will actually activate the suf f op erator on its input text h to

i i i i

obtain a text in a format suitable for A and then let A do the distinguishing

We use the following notational shorthands

PR h P r obfpr ef x y hg

i i

suf f M h suf f M x h

i i i

suf f P h suf f P x V x h

i i i i i

Recall that p denotes the probability that algorithm A outputs on input of an element A

chosen according to the probability distribution D The following relationship holds

suf f M h H xy

PR h p p

A A

H xy

is written ab ove as a weighted average over all the p ossible hs The probability p

of the probability that A outputs on input an element chosen according to suf f M h

The weight is assigned by the probability of h to b e an i stage history

Similarly

suf f P h

H xy

p PR h p

A A

H xy H xy

i i1

dier cnonnegligibly Since b oth are and p It was assumed that the values p

A A

weighted averages over the same probability space there must b e some element h for

suf f P h suf f M h

i i

and p which there will b e a cnonnegligible dierence b etween p

A A

H xy

Since p p there exists some h for which

A A

jxj

suf f M h suf f P h

i i

p p

A A

jxj

We conclude that for every x y for which H x y and H x y can b e cdistinguished

there exists x y such that P x V x y and M x y can b e cdistinguished

i i i i i i i i

The auxiliary input y will b e the string h corresp onding to x and y On input a text

i i

T x y r m chosen either according to P x V x y or to M x y the test A

i i i i i i i i i i

extracts m m m x y and r which are contained in T since they were contains

in y h and m from T It then runs

i i

x T h M

i i

x h h M

i i i

h M x h

k k k

m m m m

OUTPUT x y r m

to obtain a text T x y r m The test A then runs A on T and outputs the output of

A By our construction it is clear that A z will cdistinguish b etween P x V x y

i i i i

i i

and M x y This contradicts the fact the M is a go o d simulator for P V 2 We

i i i

V V

conclude that fM x y g is p olynomially indistinguishable from fP x V x y g and

V xy xy

the theorem follows 2

Remark The assumption that k the number of proto cols is constant was required in

order to argue that if H and H can b e distinguished for innitely many pairs x y then

there exists some i such that H and H can also b e distinguished innitely many times

i i

thus contradicting the assumption that M is a go o d simulator Observe however that in

the case where a single proto col P V is iterated it is no longer essential to assume that k

is a constant Clearly we could no longer claim that for some i the distributions H and

H can b e distinguished innitely many times However distinguishing any two adjacent

hybrids H and H means in every case distinguishing M from P V contrary to the

i i

assumption that M is a go o d simulator for P V Therefore the Sequential Comp osition

Theorem holds also in this case More generally the Sequential Comp osition Theorem holds

for nonconstant k whenever in each of the k stages one of a nite set of proto col is run

Remark An analogous Sequential Comp osition Theorem can b e proved for the blackbox

simulation zeroknowledge denition

ESSENTIAL PROPERTIES OF ZEROKNOWLEDGE PROOFS In this section

we show that certain prop erties are essential to zeroknowledge pro of systems We do so

by demonstrating the triviality of zeroknowledge pro of systems lacking these prop erties

By a cl ass of interactive pro of systems we mean for example all pro of systems in which

the verier is deterministic all pro of systems in which only one message is sent and so on

Let us rst discuss the meaning of triviality in this context The complexity class BPP

encompasses our notion of ecient computation Recall that a language L is in BPP if

there exists a probabilistic p olynomial time machine M such that for every constant c and

large enough x

if x L P r ob M x AC C jxj Completeness condition

if x L P r ob M x REJ jxj Soundness condition

Since V can recognize by itself any language in BPP it follows that any language in BPP

has a trivial zeroknowledge pro of system one in which the verier checks by itself if x L

or not Accordingly we consider any class of zeroknowledge interactive pro ofs trivial if

pro of systems of this class can b e zeroknowledge only for languages in BPP

General Framework of Triviality Pro ofs Basicly our pro of metho d will b e the fol

lowing to prove the triviality of some class C we will assume that some language L has a

zeroknowledge pro of system of class C By the denition of zeroknowledge there exists a

simulator M which generates history descriptions of the interaction of V with the prover P

in some cases we will consider the simulator with resp ect to some cheating verier V that

is M We will build a BPP machine for L that uses M M Let H x r m b e a

V V V

history description H x y r m in the case of auxiliaryinput where x is the common

input y is the auxiliary input r is the random input and m is the sequence of messages

sent in the proto col The string m is of the form where the s are the prover

messages and the s are the verier messages m will b e of the form if in

the proto col V sp eaks rst We will denote by V x r the deterministic

p olynomialtime computation that a verier V uses to determine in the case of auxiliary

input V x y r Similarly P x will denote the probabilistic

i i i

computation used by P to determine The computation used by the honest verier V

to determine whether to accept or to reject will b e denoted x r

Denition A history description or conversation H x r m H x y r m in the

case of auxiliaryinput is legal with respect to a verier V if the messages contained in m

satisfy the following requirement

i i k V x r

i i

In the case of auxiliaryinput V x y r For convenience we will simply

i i

say H is legal when the identity of V is clear from the context H is accepting if it is

legal with resp ect to V and if

x r AC C

Accepting conversations are only dened with resp ect to V Recall that the texts pro duced

by M on input x L must b e p olynomially indistinguishable from the texts of real

interaction b etween V and P Therefore and since a real conversation b etween P and V

on x L will b e with very high probability legal and accepting it follows that M must

also pro duce legal and accepting conversations with very high probability for x L and do

so within p olynomial time Otherwise a distinguisher which simply outputs if the given

conversation is accepting will clearly distinguish b etween real interactions and simulation

texts The denitions of zeroknowledge require nothing of M in the case x L The

result of running M on x L may b e one of the following

M may run for to o long

M may pro duce a nonaccepting though p erhaps legal conversation

M may pro duce an accepting conversation

The third case is indeed p ossible in all proto cols demonstrated to b e zeroknowledge eg

GMR GMW the simulator presented in the pro of generates accepting conversations

regardless of whether x is in the language or not In fact if this case were not p ossible then

for any language which has a zeroknowledge pro of system we could easily build a BPP ma

chine the machine would run M on x and accept if and only if M pro duces an accepting

V V

conversation We conclude that a BPP machine which runs M can safely reject if either V

case or case o ccurs b ecause they are guaranteed to o ccur with negligible probability

for x L The hard case to handle is the third case In the pro ofs throughout this section

we will for each instance use the sp ecial structure of the sp ecic class of interactive pro ofs

in the pro ofs that follow under consideration to handle this case While using M M

V V

we will usually claim that some prop erty existing in the texts of real interaction on x L

must also exist with very high probability in the texts pro duced by the simulator on input

x L For example a prop erty such as the text constitutes an accepting conversation

If the proto col is p erfect or almostp erfect zeroknowledge this claim follows immediately

However if the two probability distributions are only p olynomiallyindistinguishable fol

lowing AH we will refer to this case as computational zeroknowledge the pro of may

b ecome more involved In each case we will rst present a pro of for p erfect zeroknowledge

and then adapt it to computational zeroknowledge Each formal pro of will b e preceded by

an intuitive discussion of the main ideas underlying it

Remark In the pro ofs that follow the BPP machines built are actually shown to

satisfy the requirements of BPP for all but perhaps a nite set of xs Clearly any such

machine can b e transformed into a true BPP machine

ZeroKnowledge Pro ofs Which Never Err and ZeroKnowledge Pro ofs with

Deterministic Veriers M Blum prop osed the concept of Las Vegas interactive pro ofs

Informally these are interactive pro of systems that never err that is never cause V to accept

when x L In GMS these proto cols are referred to as interactive pro ofs with perfect

soundness In this section we show that no proto col of this type can b e zeroknowledge

even with resp ect to the GMR denition A formal denition of LasVegas Interactive

Pro ofs can b e obtained from the denition of general interactive pro ofs simply by replacing

the soundness condition with whenever x L and for every program P run by the

prover either V rejects or the proto col do es not terminate

Theorem Let L b e a language for which there exists a zeroknowledge Las Vegas interactive

pro of system Then L RP

Pro of The idea is to show that in this case accepting conversations simply do not exist for

x L while as always for x L the simulator M will pro duce accepting conversations

with very high probability Let us rst recall the denition of Random Polynomial Time A

language L is in RP if there exists a probabilistic p olynomial time algorithm M such that

on input x L machine M accepts with probability completeness

on input x L machine M always rejects soundness

Construction of the RP machine

Since L has a Las Vegas zeroknowledge proof system there exists a probabilistic polynomial

time machine M that simulates the membership proofs of P and V Let Qjxj denote an

upper bound for the running time of M on input x L where Q is some polynomial

The Random Polynomial Time machine we build M wil l use M On input x machine

M runs M on x maintaining a step count If M runs more than Qjxj steps or does

V V

not produce an accepting conversation M rejects Otherwise if the conversation produced

by M is accepting M accepts

Soundness of M

Claim On input x L machine M cannot p ossibly generate an accepting conversation

Proof Assume it could that is there exists a random string r and a set of prover messages

such that V running with random string r and receiving the appropriate messages accepts

on x Then the conversation could o ccur in a real interaction with nonzero probability

violating the conditions of Las Vegas proto cols 2 Note that this claim follows only from

the fact that accepting conversations cannot exist for x L and not from the fact that the

conversation was generated by M Therefore it is valid regardless of the quality of the

texts pro duced by M It is clear that M will never accept on x L and therefore the

soundness condition is established

Completeness of M The completeness prop erty of interactive pro ofs requires that conver

sations on x L b e accepting with very high probability The same is clearly true of the

conversations pro duced by M in the case of p erfect zeroknowledge Adapting the argu

ment to computational zeroknowledge is simple in this case note that the predicate

used by V to decide whether to accept or reject must b e computable in p olynomial time

Consequently if M do es not pro duce accepting conversations on x L with very high

probability then will distinguish the texts of the simulator from those of real interaction

We conclude that the error probability on x L instances existing in all known zero

knowledge pro ofs is inevitable and essential to the nontriviality of these pro of systems

Another essential prop erty of nontrivial zeroknowledge pro ofs is the randomness of the

verier We prove this by demonstrating that any language which has a zeroknowledge

interactive pro of in which the verier is deterministic has a zeroknowledge Las Vegas

interactive pro of

Lemma Let P V b e a zeroknowledge interactive pro of system for a language L in

which the verier is deterministic Then L has a zeroknowledge Las Vegas interactive

pro of

Proof We will show that if P V is not itself Las Vegas then either it can b e slightly mo died

to b ecome Las Vegas or it cannot constitute an interactive pro of system for L Supp ose

the proto col is not Las Vegas Then there exists a prover P and a set of x L such that

V when interacting with P on such an x accepts with nonzero probability If this set

is nite then the proto col can b e mo died in the following way to b ecome Las Vegas on

input x the verier rst checks if x b elongs to the problematic set and if it do es V

rejects immediately Otherwise the original proto col is carried out Clearly the mo died

proto col is Las Vegas If the original proto col was zeroknowledge so will b e the mo died

proto col since with resp ect to x L b oth proto cols are the same recall that the denitions

of zeroknowledge require nothing if x L We will now show that the problematic set

must b e nite assume it is not and there exists an innite sequence S eq of x L such

that V when interacting with P on x S eq accepts with nonzero probability Since V is

deterministic it follows that for every x S eq there exists a sequence of prover messages

that cause V to accept that is V will accept with probability when receiving this sequence

of messages Clearly there exists some P that for every x S eq can nd this sequence

and always cause V to accept One such P is a machine that given x simply tries out every

p ossible set of messages to see on which of them if any V accepts P can check this easily as

the computation of V is completely determined by x and by the prover messages and do es

not dep end on some hidden random string Therefore the proto col cannot b e an interactive

pro of system for L 2 The following theorem is an immediate corollary of Theorem and

Lemma

Theorem Let L b e any language and assume that L has a zeroknowledge interactive pro of in

which the verier is deterministic Then L RP

OneStep ZeroKnowledge Pro ofs Onestep interactive pro of systems do exist and

contain NP pro of systems as a sp ecial case However NP like pro of systems give out a

large amount of knowledge much of which is not essential for the pro of It was p ointed out in

GMW that a onestep proto col cannot b e zero knowledge if it constitutes an interactive

pro of system for a language not in BPP Here we present a formal pro of of this statement

The pro of holds even under the original GMR denition of zeroknowledge

Theorem Let L b e a language for which there exists a onestep zeroknowledge interactive pro of

system Then L BPP

Pro of As b efore we will b e using M the simulator for the honest verier V The idea

is to simulate the pro cess of the interactive pro of by ensuring that the message generated

by the simulator on b ehalf of the prover is not based on prior knowledge of the veriers

random string V s decision on whether to accept or reject is obtained by evaluating a

deterministic p olynomial time predicate x r where x is the common input to P V

is the provers message to V and r is V s random string If x L then there exists some

such that for most r s the predicate must evaluate to AC C In cases where x L for

every there may b e a only few random strings r that cause to evaluate to AC C but the

simulator may b e such that on x L it always generates conversations in which evaluates

to AC C using these few existing strings Recall that the denition of zeroknowledge

requires nothing of the simulator in case x L and therefore this kind of b ehavior is

p ossible For that purp ose we substitute the random string r pro duced by the simulator

with a truly randomly chosen r In this way we simulate not the text but the process of

the interactive pro of retaining its desired soundness prop erty

Construction of the BPP machine

Following is a description of M the BPP machine for L

On input x machine M runs M on x maintaining a step count If M runs to o long

V V

or do es not pro duce an accepting conversation M rejects Otherwise if x r is an

accepting conversation where r is V s random string and is the provers message M

discards r chooses a new random string r and outputs x r

Soundness of M We claim that if x L and r is randomly chosen then x r will

almost certainly evaluate to REJ regardless of the value of Otherwise if it evaluates to

AC C with nonnegligible probability for an innite number of x L then the soundness

condition of interactive pro ofs is violated

Completeness of M In the case of p erfect zeroknowledge the completeness of M follows

directly from the completeness condition of interactive pro ofs If x L then the prover is

guaranteed to pro duce with high probability an that will cause V to accept for nearly

all random strings r The s pro duced by the simulator will have the same prop erty The

following lemma will adapt the pro of to computational zeroknowledge

Let l n b e the length of the random string used by V when interacting on input of length

Lemma Let fP x V xg and fM xg b e p olynomially indistinguishable and let

x V x

x b e the string output by M as the prover message when running on input x Then

for all but p erhaps a nite set of x L with very high probability x r AC C when

l jxj

x L if r f g

Proof In a manner similar to the pro of of Theorem we will use to distinguish the text of

simulation from those of real interaction More formally Assume there exists a constant c

and an innite sequence S eq of x L for which the pro duced by running M x causes

l jxj

x r to evaluate to REJ with cnonnegligible probability where r f g

Consider the following distinguisher A on input H x r the algorithm chooses r

l jxj

f g and computes x r It then outputs if the result is AC C and otherwise

If H is a description of a real conversation then it follows from the completeness prop erty

of interactive pro ofs that A will output with very high probability We assumed that if H

is a simulation text then A will output with cnonnegligible probability Therefore A will

cdistinguish b etween fP x V xg and fM xg and the two distribution ensembles

x V x

cannot b e p olynomially indistinguishable 2 The Theorem follows 2

TwoStep AuxiliaryInput ZeroKnowledge Pro ofs

We pro ceed to show that no twostep proto col can b e auxiliaryinput zeroknowledge in

a nontrivial manner Note that while onestep proto cols cannot b e nontrivially zero

knowledge even with resp ect to the presp ecied verier V twostep proto cols may b e zero

knowledge in a nontrivial manner with resp ect to the presp ecied verier In fact such

proto cols ie which are zeroknowledge with resp ect to V are known for languages b elieved

not to b e in BPP eg Quadratic NonResiduosity GMR and Graph NonIsomorphism

GMW Consequently in order to prove our result we will have to make use of the full

p ower of the denition of zeroknowledge sp ecically the requirement that for al l V s there

exists a simulator M To prove an adapting lemma for this case we will need to assume

a stronger denition of p olynomialindistinguishability one in which the distinguishers are

nonuniform p olynomial time machines Let us present this denition

Denition nonuniform p olynomial indistinguishability For every algorithm A which has

D xy

an auxiliary input tap e let p denote the probability that A outputs on input an

element chosen according to the probability distribution D x y while having the string z as

its auxiliary input Denote by D om the domain from which the pairs x y are chosen The

distribution ensembles fD x y g and fD x y g are nonuniformly polyno

xy D om xy D om

mial ly indistinguishable if for every probabilistic algorithm with auxiliaryinput A which

runs in time p olynomial in the length of its input and for every constant c there exists

N such that for every x jxj N for every y such that x y D om and every z

D xy D xy

j jxj p jp

Az Az

We will refer to the denition of computational auxiliaryinput zeroknowledge obtained when

using the ab ove denition of p olynomialindistinguishability as nonuniform computational

auxiliaryinput zeroknowledge

Remark If we apply this denition of p olynomial indistinguishability to blackbox

simulation zeroknowledge the relationship demonstrated in section still holds Also

the pro of of the Comp osition Theorem for the auxiliaryinput denition presented in sec

tion can b e carried out almost unaltered when using the ab ove denition of p olynomial indistinguishability

We b egin by an informal discussion Twostep proto cols can in general b e viewed as ones

in which the verier generates questions which the prover can answer with nonnegligible

probability if and only if x L When V follows the proto col it knows the answer to

its questions and will therefore gain no knowledge from the answers but this is no longer

guaranteed for arbitrary V s The pro of presented in this subsection makes use of this

observation to demonstrate the triviality of step auxiliaryinput proto cols It seems that

the same reasoning should apply to the original GMR denition However in view of the

result of AH discussed in the introduction relativized step GMR zeroknowledge is

not contained in relativized BPP it is clear that the argument presented in this subsection

will not extend to the GMR denition as it relativizes In spite of that it can b e shown

O that the step proto cols mentioned ab ove for Quadratic NonResiduosity and Graph

NonIsomorphism cannot b e GMRzeroknowledge unless these languages are in BPP

Both known twostep proto cols mentioned ab ove were mo died by letting the verier rst

prove to the prover that it knows the answers to its queries resulting in proto cols

with more rounds which are zeroknowledge with resp ect to any verierGMR GMW

Returning to auxiliaryinput zeroknowledge we intend to prove

Theorem Let L b e a language for which there exists a twostep p erfect or nonuniformly com

putational auxiliary input zeroknowledge pro of system Then L BPP

Pro of Let P V b e the step pro of system for L Without loss of generality we can

describ e P V in the following way

computes Vxr

where r is V s random string

V P

computes Px

P V

computes x r fAC C R E J g and stops

The construction of the BPP machine in this case will run along the same general lines as

in the onestep case ie M will simulate the process of the interactive pro of rather than

merely its text In a real interaction P must answer the question without having access

to the random string r used to compute The provers ability to provide under these

conditions an answer for which x r AC C is considered sucient evidence that

x L The completeness prop erty of interactive pro ofs guarantees that the prover will

b e able to come up with such an for almost any V x r if x L The soundness

condition of interactive pro ofs ensures that no prover could generate from V x r an

such that x r AC C for any but a negligible fraction of the r s Note that the prover

is exp ected to generate such an given only V x r wheras this is tested againts

r itself As in our pro of we intend to substitute the simulator for the prover as a means

of generating it is essential that the random string r remain hidden from the simulator

Otherwise we could not rely on the soundness of the underlying interactive pro of Asking

the simulator to answer our question without giving away out secret r is achieved

using the auxiliary input to the verier

Construction of the BPP machine Consider a verier V that given a string

as its auxiliary input sets and sends to P instead of choosing a random r

and computing Vxr Provided that the length of is p olynomial in the length

of x a verier V as describ ed ab ove is clearly a p olynomial time machine for which a

simulator M is guaranteed Machine M given as input x L and any auxiliary input

V V

simulates the interaction b etween P and V Using M we now build M the BPP

machine for L The idea is to generate a message which is based on a truly random string

r and then to use M to obtain the prover message corresp onding to this without

access to r The machine M will op erate as follows giving M

On input x machine M p erforms the following actions

Cho ose a random string r and compute Vxr

pro duces a legal conversation x r r is the x If M Run M

V V

random string generated by the simulator to emulate V s random input in a real

interaction discard r and goto Otherwise reject

Output x r

Soundness of M Note that as far as V or its simulated version is concerned we are

exactly imitating the pro cess of the interactive pro of a random string r is chosen and

a message V x r computed This message is sent to some other machine which

returns a message Then x r is used to determine whether to accept or reject

All we have done is substitute the simulator for the prover as a means of generating the

message Therefore the soundness of M follows directly from the soundness condition of

Interactive Pro ofs if x L and M could generate an for which x r AC C with

nonnegligible probability then a prover P using M could do the same violating the

soundness of the underlying interactive pro of It is clear therefore that M will reject any

x L with very high probability

Completeness of M If x L then P when interacting with the presp ecied V is

guaranteed to b e able to generate an answer such that x r AC C for almost

any random string r Supp ose now that P interacts with V and that V has as auxiliary

input a string such that V x r for some randomly chosen r Since r is randomly

chosen and is computed according to the proto col a prover P has no way of knowing

that it is interacting with a machine other than V and will therefore b ehave exactly as

when interacting with V that is will attempt to generate an such that x r AC C

The simulator in the case of p erfect auxiliaryinput zeroknowledge generates the same

distribution as P and will therefore also generate a suitable The completeness condition

of interactive pro ofs can therefore b e used here to establish the completeness of M The

following adapting lemma will show that this is true even for nonuniform computational

zeroknowledge Let l n b e the length of the random string used by V when interacting

on input of length n

Lemma If fP x V x y g and fM x y g are nonuniformly p olynomially

xy V xy

indistinguishable then for all but p erhaps a nite set of x L if V x r for r

l jxj

f g and is obtained from the output of M x then with very high probability

x r AC C

Proof A history description H originating either from fP x V x y g or from fM x y g

xy V xy

will b e of the form H x r where is the auxiliary input to V used as

the veriers rst message and r is V s random string Observe that r almost certainly

is not the random string r used to compute and is actually ignored by V As stated

earlier the generated by the prover is guaranteed by the completeness condition of In

teractive Pro ofs to have the following prop erty will cause x r to evaluate to AC C

with very high probability provided that r is the random string used to generate the

If this prop erty do es not hold for the s obtained from the output of M x then a

distinguisher testing for this prop erty should b e able to distinguish fP x V x y g from

x y g However given only H the distinguisher has no idea which random string fM

xy V

r was used to create and therefore has no way to p erform the required test We will use

the auxiliary input to the distinguisher z as a means to supply the distinguisher with the

true random string corresp onding to the conversation on its main input Assume there

exists a constant c and an innite sequence S eq of x L for which the pro duced by run

l jxj

ning M x where V x r and r f g causes x r to evaluate to

V R

REJ with cnonnegligible probability Denote by p x r the probability that x r

acc

evaluates to AC C where V x r and is obtained by running M x Similarly

p x r will denote the probability that x r evaluates to AC C where V x r

acc

and is obtained by running P x V x Let p x b e dened by

acc

M M

p x r p x

acc acc

l jxj

x by and p

acc

P P

p x p x r

acc acc

l jxj

By our assumption there exists some c such that for every x S eq

P M

p x p x

acc acc

jxj

It follows that for every x S eq there exists some r such that

P M

p x r p x r

acc acc

jxj

Consider the following distinguisher A on input a conversation x r and aux

iliary input r A computes x r and outputs if the computation results in AC C

Clearly for every x S eq there exists some r and V x r such that A running

with auxiliary input r will cdistinguish b etween M x and P x V x We

conclude that fM x y g and fP x V x y g are not nonuniformly p olynomially

V xy xy

indistinguishable 2

The Theorem follows 2

AuxiliaryInput ZeroKnowledge Pro of Systems With Deterministic Provers

In this subsection we show that any language which has an auxiliaryinput zeroknowledge

pro of system in which the prover is deterministic b elongs to BPP The pro of generalizes

the pro of metho d but not the results of the onestep and twostep cases As in those cases

we intend to simulate the pro cess of the interactive pro of Our pro of relativizes and thus

in view of AH will not extend to GMR zeroknowledge

Theorem Let L b e any language If L has an auxiliaryinput zeroknowledge pro of system in

which the prover is deterministic then L BPP

Pro of If P is deterministic then the following holds the entire conversation b etween P

and V is fully determined by x and by r the veriers random string Furthermore P s

ith message dep ends only on x and on We will exploit this prop erty in our

i i

pro of As in the onestep and twostep cases we will imitate V s view of the interactive

pro of using the simulator to generate the prover messages We will b egin by choosing a

random string r and construct the unique conversation corresp onding to r and x round

byround At rst we will use the simulator to generate and ignore the rest of the text

Once we have we can compute as V would using the random string r We will now

run the simulator again this time forcing the verier to use the computed as its rst

message This is achieved by placing on the veriers auxiliaryinput Since the prover is

deterministic and the simulator must also b e deterministic in some sense as we shall see

we can b e sure that the same will b e computed for the new conversation and therefore

the we computed will b e a legal verier message in the new conversation that is there

exists a string r such that V x r From the new conversation we will obtain

and so on We thus reconstruct the entire conversation while not revealing r to the

simulator throughout the pro cess Once we have all the prover messages we will use to

decide whether to accept or reject It is easy to see that this metho d would not work if the

prover were not deterministic Consider for example a threestep proto col we could rst

run the simulator to obtain some We could then compute a suitable and force

the verier to use it as its message However in the new conversation we would probably

have a completely dierent b ecause P is not deterministic and may have more than one

p ossible and the computed would no longer b e a legal message in that conversation

As a result we could not use the new conversation to obtain a meaningful

Construction of the BPP machine consider a verier V in the auxiliary input

as on its auxiliary input uses mo del which when having a string

i i

its i rst messages to the prover and then computes the rest of its messages in an arbitrary

manner Since the proto col is auxiliaryinput zeroknowledge there exists a probabilistic

p olynomial time machine M which simulates the interaction of V and P We use M

V V

to build a BPP machine denoted M for the language L

On input x machine M pro ceeds as follows

Cho ose random r

Run M x with empty auxiliary input or simply M x the simulator with resp ect to

V V

the presp ecied verier V to obtain discard the rest of the text

For i to k do

Compute V x r

i i

Run M with auxiliary input to obtain which is our guess for

V i i

P x Discard the rest of the text

enddo

output x r

Soundness of M As was the case for the step and step pro ofs in this case we exactly

imitate the pro cess of the interactive pro of as far as V is concerned only substituting the

simulator for the prover as a means of generating The simulator computes

at stage i while having no knowledge of the random string used to compute

precisely the conditions under which P must compute in a real interaction It follows

that M s ability to generate under these conditions a set of messages for which

x r evaluates to ACC with nonnegligible probability implies the ability of

some prover P to do the same in a real interaction The soundness of M therefore follows

from the soundness of the underlying interactive pro of Note that the soundness condition

do es not dep end in any way on the zeroknowledgeness of the proto col

Completeness of M Consider an interaction on input x Let b e the rst i verier

messages of the unique conversation corresp onding to x and to some random string r The

prover P when interacting on x with a verier that uses as its rst i messages

will output the messages corresp onding to x and r This is true in particular for

the previously describ ed verier V Not until it receives the message can P p erhaps

realize it is interacting with a cheater V and not with the well b ehaved V Therefore all

its messages up to that p oint will b e as sp ecied by the proto col In the case of p erfect

zeroknowledge the texts of M will have the same prop erty In particular at round

i the message obtained from the simulation text will b e the unique P x

i i

corresp onding to x and the random string r chosen In all the set of prover

messages generated by M will b e the unique set corresp onding to x and r and therefore

the completeness of M follows from the completeness of P V We now pro ceed to adapt

the argument to computational zeroknowledge We need to prove that at round i the

on input x and auxiliary input are with messages generated by M

i i V

very high probability P x P x P x We will rst address the following

question

Single Element Question

g b e a distribution ensemble having the following prop erty for every large Let f

assigns high probability to one element denoted enough x the probability distribution

in our case the distribution created by the prover is totally deterministic that is

g b e a distribution ensemble which assigns probability to some text Let f

xD x

x x

g have essentially the same g Must f is p olynomially indistinguishable from f

x xD

assigns high probability to prop erty ie for every large enough x the distribution

Before attempting to answer this question let us examine more closely the notion of p olyno

mial indistinguishability In the denition of p olynomial indistinguishability used through

x x

g claimed to b e p olynomially g and f out the pap er two distribution ensembles f

x x

indistinguishable must satisfy the following condition any p olynomial time probabilistic

g must b ehave approximately the algorithm on input a single string sampled from f

g Another p ossibly stricter denition is the same as when given a string sampled from f

following any p olynomial time algorithm on input a sequence of constant or p olynomial

g must b ehave approximately the same as when given a size of strings sampled from f

g We will refer to the rst version of the denition as sequence of strings sampled from f

singlesample p olynomial indistinguishability and to the second as multiplesample p olyno

mial indistinguishability Multiplesample p olynomial indistinguishability b ears relevance

to our discussion due to the following fact when using the multiplesample denition one

can easily prove a p ositive answer to the Single Element Question p osed earlier provided

g can b e sampled in p olynomial time The following two claims will demonstrate that f

this

g assign high probability say to for every large enough x Claim Let f

x x

x x x

g g b e multiplesample p olynomially indistinguishable Then f g and f and let f

x x x

must for every large enough x assign very high probability say to exactly one string

denoted

with high probability ie higher Proof Assume to the contrary that no string app ears in

than Consider the following twosample distinguisher A on input two strings s and

g s algorithm A outputs if s s and otherwise I f s s were sampled from f

then s s with very high probability namely On the other hand if s s

g then s s with to o low probability namely were sampled from f

x x x

g g 2 The ab ove claim guarantees that f g from f Therefore A will distinguish f

x x x

assigns very high probability to a single string We now show that this string must b e

singlesample p olynomial indistinguishability suces to prove the following claim

x x

g b e a distribution ensemble such that x D the distribution Claim Let f

g b e a distribution to one string denoted Let f assigns probability at least

xD x

assigns probability at least ensemble such that x D the distribution to one

x x x

g can g are p olynomially indistinguishable and f g and f string denoted If f

x x x x

b e sampled in p olynomial time then for all but nitely many x D the string equals

the string

Proof If otherwise consider the following distinguisher A on input a string s algorithm

to obtain with overwhelmingly high probability the string which by A samples

hypothesis is dierent from The number of sample p oints is p olynomial in The

then with probability algorithm outputs if s and otherwise If s comes from

then with probability we have s If on the other hand s comes from

we have s and hence assuming s with probability

x x x x

x x

g 2 All that remains in order to g from f Therefore A will distinguish f

x x

answer the Single Element Question for singlesample p olynomial indistinguishability is to

show if we can that singlesample p olynomial indistinguishability is equivalent to multiple

sample p olynomial indistinguishability But can we Polynomial indistinguishability was

originally discussed in the context of probabilistic encryption GM and pseudorandom

generators Y In these cases the distributions of both the ensembles which are assumed

to b e p olynomially indistinguishable can b e sampled in p olynomial time This fact can b e

used to prove that in these contexts singlesample p olynomial indistinguishability the usual

denition and multiplesample p olynomial indistinguishability are equivalent intuitively

b ecause the distinguisher can generate additional samples by itself The same pro of cannot

b e applied however in general and in particular in the context of zeroknowledge b ecause in

this case one of the distribution ensembles mainly P V is not p olynomial time samplable

We return to our original question Since we cannot demonstrate the equivalence single

In GGM Goldreich Goldwasser and Micali dene multiplesample p olynomial indistinguishability

and prove its equivalence to singlesample p olynomial indistinguishability in the context of pseudorandom generators

sample p olynomial indistinguishability to multiplesample p olynomial indistinguishability

we must adopt a dierent approach We now demonstrate that even under singlesample

g must assign very high probability to the string p olynomialindistinguishability f

x x

For any distribution and string s we denote by s assigned high probability by

the probability assigned by to s

x x

g b e p olynomially indis g and f Single Element Lemma Let Let f

xD xD

x x

are probability distributions over and tinguishable distribution ensembles such that

strings of length p olynomial in jxj Assume that for every large enough x there exists some

assigns to probability Assume further that string denoted such that

x x

x x x

g may not b e Then g is p olynomialtime samplable though f f

x xD xD

for all but nitely many x

assigns probability Pro of Assume there exist an innite sequence S eq of xs such that

s at most For any x S eq there must b e one or more strings s such that

may or may not b e one of them These strings can b e arranged in lexicographical order

For any two strings s s we will write s s to mean that s precedes s in lexicographical

b e dened by order s s will mean s s or s s Let P

P s

fs j s g

by and P

P s

fs j s g

assign probability to each of the following strings Example Let and

assigns If and and P Then P

x x

P probability to each of the strings then P

x x

For any x S eq we have three p ossible cases not necessarily distinct

P and P

x x

Denote by S i the subsequence of S eq such that x S if case i holds for x

i i

Clearly at least one of the subsequences must b e innite We will now show how to handle

each of the corresp onding cases

Case Assume S is innite Let us rst prove the following claim

Claim Let b e any probability distribution on strings A k exper iment on will

consist of sampling k times the distribution Denote by s i k the result of the ith

sampling in the k exp eriment Let P denote the probability that the sample s is larger or

i i

equal to all of the samples ie P P r ob j s s Then P

i i j

Proof For reasons of symmetry i j k P P Since in every k exp eriment there must

i j

P and therefore i k P b e at least one maximal value it follows that 2

i i

Consider now the following distinguisher A on input a string s the distinguisher A rst

for k times k is a constant to b e determined latter It then outputs if s samples

is greater than or equal to each of the k sampled strings Supp ose s was sampled from

x x

in which s is the rst sample We can view the whole pro cess as a k exp eriment on

By the ab ove claim the probability that A outputs in this case is greater than or equal

to in which case s with probability On the other hand if s was sampled from

then for every x S the probability of a single sample b eing smaller than

or equal to s is less than the rst term is for the case s The

probability that all k samples will b e smaller than or equal to s is thus less than

A suitable choice of k say k yields k Clearly for any x S algorithm

x x

and therefore the distribution ensembles cannot b e and A will distinguish b etween

p olynomially indistinguishable

Case Assume S is innite This case is symmetric to the previous case since if we

reverse the lexicographical order we obtain P It can therefore b e handled in the same

way

Case Assume S is innite In this case reversing the lexicographical order will still

it must b e and P leave us in the same case Observe however that if P

x x

In such a case we can nd with sucient condence by sampling that

x x

a p olynomial number of times Consider a distinguisher A which on input a string s

enough times to pick out with very high probability say a string s samples

s and then outputs if s s We have P r obs for which

s s We then P r ob For any x x S if s was sampled from

started out the pro of by assuming that for any x S eq and therefore for any x S

and hence P r ob s s Clearly A will distinguish

x x

b etween f g and f g with gap The lemma follows 2

xD xD

The adapting lemma we need to prove is an easy consequence of the Single Element

Lemma

Lemma Let D b e the set of all pairs x y for which x L and y

such that for some random string r

V x r P x

V x r P x P x

V x r P x P x P x

i i i

If the distribution ensembles fM x y g and fP x V x y g are p olynomi

xy D xy D

ally indistinguishable then in the texts pro duced by M on input x and y with very high

probability

j i P x

j j

b e the distribution of the rst i prover messages in P s interaction with Pro of Let

V on input x and auxiliary input y note that this distribution dep ends solely

b e the distribution of the rst i s random string Let on x and y and not on V

prover messages pro duced by M on input x and y Clearly if fP x V x y g

xy D

x y g are p olynomially indistinguishable then so are f g and and fM

xy D xy D

xy xy

g clearly is p olynomialtime samplable and g The ensemble f f

xy D xy D

assigns one string namely P x P x P x probability for any

x y D We can thus apply the Determinicity Lemma We conclude that at round i

machine M will pro duce with very high probability the messages P x P x

V i

corresp onding to x and the string r used to compute 2 The Theorem follows 2

Remark The fact that singlesample and multiple sample p olynomial indistinguishability

may not b e equivalent in the context of zeroknowledge raises the following questions which

deserve further investigation can singlesample and multiplesample p olynomial indistin

guishability b e proved equivalent or strictly dierent in the context of zeroknowledge ie

when one ensemble is not p olynomialtime samplable And if they are dierent which

should b e used in a correct cryptographic denition of zeroknowledge Observe that

the two denitions are equivalent if the distinguisher is allowed to have auxiliary input as

in the denition of nonuniform p olynomial indistinguishability presented in the previous

subsection

A Remark on Extension to ZeroKnowledge Arguments

The results of the previous subsections extend to the zeroknowledge arguments introduced

in BCC In these proto cols it is guaranteed that there exists no ecient way of fo oling

the verier to accept false statements This is a relaxion of the soundness condition in

interactive pro ofs where it is required that there exists no way of fo oling the verier to

accept false statements In the extensions we use exactly the same constructions of BPP

machines and the same reasoning for the completeness condition ie that the machine

accepts with high probability inputs in the language For the soundness of the BPP

machine ie showing that it rejects with high probability inputs not in the language

we use a slightly more careful reasoning Recall that the soundness of the BPP machine

is proved by relying on the soundness of the proto col In fact in all cases we have shown

that a violation of the soundness of the BPP machine yields violation of the soundness

condition for interactive pro ofs This in turn was done by incorp orating the cheating

BPP machine inside of a cheating prover Hence the cheating prover constructed in

all cases is indeed ecient and thus contradicts the soundness condition of zeroknowledge

arguments as well

ACKNOWLEDGEMENTS We would like to thank Shimon Even for making useful com

ments on the pap er The concept of Las Vegas interactive pro ofs was raised by Manuel

Blum and communicated through Silvio Micali The question of triviality of pro of systems

with deterministic provers was raised by Shimon Even

REFERENCES

B Babai L Trading Group Theory for Randomness Proc th STOC pp

BCC Brassard G D Chaum and C Crep eau Minimum Disclosure Pro ofs of knowledge

JCSS Vol No Oct pp

F Fortnow L The Complexity of Perfect ZeroKnowledge Proc of th STOC

FS Feige U and A Shamir p ersonal communication

GGM Goldreich O S Goldwasser and S Micali How to Construct Random Functions

Jour of ACM Vol No pp

GK Goldreich O and H Krawczyk On the Comp osition of ZeroKnowledge Pro of

Systems to app ear in the pro ceedings of th ICALP

GMS Goldreich O Y Mansour and M Sipser Interactive Pro of Systems Provers that

Never Fail and Random Selection Proc th FOCS

GMW Goldreich O S Micali and A Wigderson Pro ofs that Yield Nothing But their

Validity and a Metho dology of Cryptographic Proto col Design Proc th FOCS

GMW Goldreich O S Micali and A Wigderson How to Play Any Mental Game or A

Completeness Theorem for Proto cols with Honest Ma jority Proc of th STOC

GMR Goldwasser S S Micali and C Racko Knowledge Complexity of Interactive

Pro ofs Proc th STOC pp

GMR Goldwasser S S Micali and C Racko The Knowledge Complexity of Interactive

Pro of Systems SIAM J on Comput Vol No pp

GM Goldwasser S and S Micali Probabilistic Encryption JCSS Vol No

GS Goldwasser S and M Sipser Arthur Merlin Games versus Interactive Pro of Sys

tems Proc th STOC pp

O OrenY Prop erties of ZeroKnowledge Pro ofs MSc Thesis Computer Science

Dept Technion Israel Nov in Hebrew

O Oren Y On the Cunning Power of Cheating Veriers Some Observations Ab out

ZeroKnowledge Pro ofs Proc th FOCS pp

TW Tompa M and H Woll Random SelfReducibility and ZeroKnowledge Interactive

Pro ofs of Possession of Information Proc th FOCS pp

Y Yao AC Theory and Applications of Trapdo or Functions Proc rd FOCS

AH Aiello W and J Hastad Perfect ZeroKnowledge Languages Can Be Recognized

in Two Rounds th FOCS pp

AH Aiello W and J Hastad Relativized Perfect ZeroKnowledge is not BPP Infor

mation and Computation Vol pp

IY Impagliazzo R and Yung M Direct MinimumKnowledge Computations Ad

vances in Cryptology Crypto pro ceedings Lecture Notes in Computer Science

Vol SpringerVerlag NewYork pp

S A Shamir IPPSPACE st FOCS pp