Private coins versus public coins in zero-knowledge proof systems

Rafael Pass*, Muthuramakrishnan Venkitasubramaniam

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Goldreich-Krawczyk (Siam J of Comp'96) showed that only languages in BPP have constant-round public-coin black-box zero-know-ledge protocols. We extend their lower bound to "fully black-box" private-coin protocols based on one-way functions. More precisely, we show that only languages in BPP Sam -where Sam is a "collision-finding" oracle in analogy with Simon (Eurocrypt'98) and Haitner et. al (FOCS'07)-can have constant-round fully black-box zero-knowledge proofs; the same holds for constant-round fully black-box zero-knowledge arguments with sublinear verifier communication complexity. We also establish near-linear lower bounds on the round complexity of fully black-box concurrent zero-knowledge proofs (or arguments with sublinear verifier communication) for languages outside BPPSam. The technique used to establish these results is a transformation from private-coin protocols into Sam-relativized public-coin protocols; for the case of fully black-box protocols based on one-way functions, this transformation preserves zero knowledge, round complexity and communication complexity.

Original languageEnglish
Title of host publicationTheory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings
Number of pages18
StatePublished - 2010
Externally publishedYes
Event7th Theory of Cryptography Conference, TCC 2010 - Zurich, Switzerland
Duration: 9 Feb 201011 Feb 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5978 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference7th Theory of Cryptography Conference, TCC 2010


Dive into the research topics of 'Private coins versus public coins in zero-knowledge proof systems'. Together they form a unique fingerprint.

Cite this