Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short

Interactive Proof Systems [GMR] P Completeness: If x 2 L, P can cause V to output “Accept” w.p. 1 Soundness: If x  L, no matter what P does, V will output “Reject” w.h.p. V x Accept/Reject

Interactive Proof Systems [GMR] P V x Accept/Reject An interactive proof system is zero-knowledge (ZK) if verifier cannot learn anything new after interacting with the prover. That is, no matter what V does, it will not learn anything that it couldn’t have learned by itself (without any interaction with prover).

Interactive Proof Systems [GMR] P V x Accept/Reject Formalized by showing that for every verifier there exists a simulator – a non-interactive alg whose output is indist from verifier’s view in the interaction. S(, ) ~ Verifier’s strategy (Circuit / TM) Public input (X) Verifier’s view Two r.v. X,Y are indist if 8 poly circuit D | Pr[ D(X)=1 ] – Pr[ D(Y)=1 ] | < n -  (1)

Some Known Results Under assumptions, 9 ZK proof for every language in NP. [GMW] In fact, 9 such proof that only uses a constant number of communication rounds. [FS,BCY,GKa] A proof system for a non-trivial language that is ZK w.r.t. verifiers that use a non-uniform strategy must have at least 3 rounds. [GO] A ZK proof for a non-trivial* language must be interactive (i.e., have at least 2 rounds) [GO]

A Natural Question Is there a 2-round proof system for NP that is ZK w.r.t. uniform verifiers? We show that under assumptions, the answer is NO. That is, we show that under reasonable assumptions, there is no 2-round ZK proof* system for a language not in co-NP. * The result is for (statistically sound) proof systems with perfect completeness.

The Public-Coin Case Thm 1: Let E=Dtime(2  n) ). If NCC(E)=2  (n) then there is no 2-round ZK public-coins proof system for a non-trivial language. PV  2 R {0,1} n  A 2-round proof system is public-coins if the verifier sends its entire random tape as its message. Accept iff A(x, ,  )=1 x

Thm 1: If NCC(E)=2  (n) and L has a 2-round ZK public-coins proof then L 2 BPP. PV  2 R {0,1} n  Accept iff A(x, ,  )=1 Proof: Fix x  L. Define  2 {0,1} n as good if 8  A(x, ,  )=0. x 1. Pr  2 {0,1} n [  is good ] > ½ Note that: 2. Can test if  is good in non-deterministic time n c, where n c is running time of A. Under assumption, 9 poly-time G:{0,1} O(log n)  {0,1} n s.t. Pr  =G(s) [  is good ] > ¼ [KvM]

PV*  G(s)  Accept iff A(x, ,  )=1 x Define verifier V* that sends  =G(s) for s 2 R {0,1} O(log n) Let S be a simulator for V*. For every x 2 L, S should output a pair ( ,  ) that is indist from a real execution. For every x,  =G(s), we define S(x,  ) to be result of following poly-time process: Run S(x) many times till output is of form ( ,  ). Output . In particular, if x 2 L, then Pr ( ,  )=S(x) [ A(x, ,  )=1 ] > 1 – n  (1)

To decide if x 2 L: 1.Choose s 2 R {0,1} O( log n), let  =G(s). Note that  is good w.p. ¸ ¼ 2. Compute  =S(  ) 3. Output A(x, ,  ) For every x,  =G(s), we define S(x,  ) to be result of following poly-time process: Run S(x) many times till output is of form ( ,  ). Output . We get that L 2 BPP:

The Private-Coin Case Thm 2: If  2 -CC(E)=2  (n) then there is no 2-round ZK proof system for a L  co-NP. PV  (r)  Accept iff A(x, ,  ;r)=1 x

Thm 2: If  2 -CC(E)=2  (n) and L has a 2-round ZK proof system then L 2 co-NP PV  (r)  Accept iff A(x, ,  ;r)=1 x Proof: Fix x  L. Define  =  (r) as good if 8  9 r s.t. A(x, ,  ;r)=0 Under assumption, 9 poly-time G:{0,1} O(log n)  {0,1} n s.t. Pr  =G(s) [  is good ] > ¼ [KvM]

Define V* as before to use r=G(s), and define S to be the simulator for V*. PV  (r)  Accept iff A(x, ,  ;r)=1 x Again, for every x,  =G(s), we define S(x,  ) to be result of following poly-time process: Run S(x) many times till output is of form ( ,  ). Output . Note that if x 2 L, and  =P(x,  ) then 8 r A(x, , ,r)=1 Therefore w.h.p. this also holds for S(x,  )

To decide if x 2 L: 1.Choose s 2 R {0,1} O( log n), let r 0 =G(s) and  (r 0 ). Note that  is good w.p. ¸ ¼ 2. Compute  =S(x,  ) 3. Output A(x, ,  ;r) where r=r 0. Consider the following attempted algorithm for L: If x  L then w.p. ¸ ¼ 9 r s.t. A(x, ,  ;r)=0. However, it may be that A(x, ,  ;r 0 )=1 ! If x 2 L then w.h.p. 8 r A(x, ,S(x,  );r)=1. However, we can choose r in step 3 via non-det guess and get that L 2 co-AM!

Other Results 1. Under assumptions, there is no 2-round ZK proof system for NP w/ perfect completeness. 2. There is no constant-round public-coin proof system that is (even bounded) resettable ZK. 3. Under assumptions, there is no constant-round ZK strong proof of knowledge [G]. Tightness results: 1 & 3 use essentially tight assumptions. Furthermore, similar assumptions are required to rule out that  (log n)-wise parallel 3COL/HAM are ZK. 1 & 3 use essentially tight assumptions. Furthermore, similar assumptions are required to rule out that  (log n)-wise parallel 3COL/HAM are ZK. There is an argument system for NP that is constant-round and bounded resettable ZK. There is an argument system for NP that is constant-round and bounded resettable ZK.

Conclusions Still several open questions regarding power of (non-BB) zero knowledge. This work shows that there is a difference between arguments and proofs, and that sometimes one must use (uncommon) computational assumptions. One of the most important open questions – prove the following under reasonable assumptions: Conjecture: There is no constant-round public-coins zero-knowledge proof system for NP.