On the 'composition of Zero-knowledge Proof Systems on the Composition of Z~ro· Knowledge Proof Systems

A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols. We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under sequential composition. This fact was conjuctered by many researchers (leading to the introduction of more robust fonnulations of zero-knowledge (e.g. ~lack-box simulation», but no full proof has been given yet. We prove that the general statement that the parallel composition of any two zeroknowledge protocols constitutes a zero-knowledge protocol, is wrong. Namely, we present two protocols, both being zero-Knowledge in a strong sense (e.g. black-box simulation) yet their parallel composition is not zero-knowledge (not even in a weak sense). We re~olve an open problem concerning the "parallel versions" of the interactive proofs systems known for quadratic residuosity, graph isomorphism and any language in NP. We show that these proof systems (which are constant-round Arthur-Merlin games) cannot be proven zero-knowledge using black-box simulation, unless the corresponding languages are in BPP. This is a corollary of our result that a constant-round ArthurMerlin interactive. proof for a language L, cannot be proven zero-knowledge using black-box simulation, unless L is in BPP. It should be noted that all known zeroknowledge interactive proofs are proven zero-knowledge using black-box simulation and that it is hard to conceive an alternative way for demonstrating the zero-knowledgeness of an interactive proof. The result concerning Arthur-Merlin zero-knowledge proofs can be viewed as a support to the conjecture that "secret coins" help in' the zero-knowledge setting. Research was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. T ec hn io n C om pu te r Sc ie nc e D ep ar tm en t T eh ni ca l R ep or t C S0 57 0 19 89