International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Characterizing Deterministic-Prover Zero Knowledge

Authors:
Nir Bitanksy
Arka Rai Choudhuri
Download:
Search ePrint
Search Google
Presentation: Slides
Abstract: Randomness is typically thought to be essential for zero knowledge protocols. Following this intuition, Goldreich and Oren (Journal of Cryptology 94) proved that auxiliary-input zero knowledge cannot be achieved with a deterministic prover. On the other hand, positive results are only known in the honest-verifier setting, or when the prover is given at least a restricted source of entropy. We prove that removing (or just bounding) the verifier's auxiliary input, deterministic-prover zero knowledge becomes feasible: - Assuming non-interactive witness-indistinguishable proofs and subexponential indistinguishability obfuscation and one-way functions, we construct deterministic-prover zero-knowledge arguments for $\NP\cap \coNP$ against verifiers with bounded non-uniform auxiliary input. - Assuming also keyless hash functions that are collision-resistant against bounded-auxiliary-input quasipolynomial-time attackers, we construct similar arguments for all of $\NP$. Together with the result of Goldreich and Oren, this characterizes when deterministic-prover zero knowledge is feasible. We also demonstrate the necessity of strong assumptions, by showing that deterministic prover zero knowledge arguments for a given language imply witness encryption for that language. We further prove that such arguments can always be collapsed to two messages and be made laconic. These implications rely on a more general connection with the notion of predictable arguments by Faonio, Nielsen, and Venturi (PKC 17).
Video from TCC 2020
BibTeX
@article{tcc-2020-30608,
  title={Characterizing Deterministic-Prover Zero Knowledge},
  booktitle={Theory of Cryptography},
  publisher={Springer},
  author={Nir Bitanksy and Arka Rai Choudhuri},
  year=2020
}