(1) On the Composition of Public-Coin Zero-Knowledge Protocols

by Rafael Pass, Wei-Lung Dustin Tseng, and Douglas Wikstrum.

(2) On Public versus Private Coins in Zero-knowledge Proof Systems

by Rafael Pass and Muthuramakrishnan Venkitasubramaniam.

Oded's comments

Indeed, from my perspective, the common theme here is the justification of various features of known zero-knowledge protocols. Specifically, the first work [to appear in Crypto'09] explains why the only known protocols (i.e.,proofs or arguments) that preserve zero-knowledge under parallel composition are protocols that use private-coins. This paper shows that parallel executions of interactive arguments that are of the public-coin type cannot be simulated in a black-box manner (unless they are trivial; i.e., establish membership in a BPP-set). The second work [announced at the rump session of TCC'09] explains why the known construction of constant-round zero-knowledge proofs uses a (seemingly) stronger assumption than the mere existence of one-way functions. This paper provides an upper-bound on the computational complexity of sets having constant-round proof systems that use one-way functions in a "fully black-box" manner (i.e., the protocol makes a black-box use of the function, and the simulator uses the adversary in a black-box way).
Note that these justifications do not say that it is impossible to get rid of the aforementioned features of the known zero-knowledge protocols. They only says that doing so will require non-black-box techniques. Still this makes us feel better about our failure to get rid of these features so far (let alone in the past, before the potential of non-black-box techniques was realized).

The original abstract

Abstract for the 1st paper: We show that only languages in BPP have public-coin, black-box zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This results holds both in the plain model (without any set-up) and in the Bare Public-Key Model (where the prover and the verifier have registered public keys). We complement this result by showing the existence of a public-coin black-box zero-knowledge proof that remains secure under any a-priori bounded number of concurrent executions.
Abstract for the 2nd paper (tentative): Goldreich-Krawczyk show that only languages in BPP have constant-round *public-coin* black-box zero-knowledge protocols. We extend their lower bound to ``fully black-box'' *private-coin* protocols based on one-way functions. More precisely, we show that only languages in $BPP^CF$, where CF is a ``collision-finding'' oracle (as in [Haitner et al. 07], [Simon 98]), can have constant-round fully black-box zero-knowledge *proofs* based on one-way functions; the same holds for fully black-box zero-knowledge *arguments* with sublinear verifier communication complexity. We also establish near-linear lower bounds on the round complexity of fully black-box concurrent zero-knowledge proofs (or arguments with sublinear verifier communication) for languages outside $BPP^CF$. To establish these results we present a transformation from private-coin protocols into CF-relativized public-coin protocols; for the case of fully black-box protocols based on one-way functions, this transformation preserves zero knowledge, round complexity and communication complexity. As an additional corollary of this transformation (and relying on recent parallel repetition theorems for public-coin protocols), we establish that parallel repetition reduces the soundness error in all fully black-box private-coin arguments with sublinear verifier communication complexity.


Back to list of Oded's choices.