On the composition of public-coin zero-knowledge protocols

Rafael Pass*, Wei Lung Dustin Tseng, Douglas Wikström

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

10 Scopus citations


We show that only languages in BPP have public-coin black-box zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the bare public key model (where the prover and the verifier have registered public keys). We complement this result by constructing a public-coin black-box zero-knowledge proof based on one-way functions that remains secure under any a priori bounded number of concurrent executions. A key step (of independent interest) in the analysis of our lower bound shows that any public-coin protocol, when repeated sufficiently in parallel, satisfies a notion of "resettable soundness" if the verifier picks its random coins using a pseudorandom function.

Original languageEnglish
Pages (from-to)1529-1553
Number of pages25
JournalSIAM Journal on Computing
Issue number6
StatePublished - 2011
Externally publishedYes


  • Parallel repetition
  • Public-coin interactive protocols
  • Zero-knowledge


Dive into the research topics of 'On the composition of public-coin zero-knowledge protocols'. Together they form a unique fingerprint.

Cite this