Unprovable Security of Two-Message Zero Knowledge

Goldreich and Oren (JoC’94) show that only trivial languages have 2-message zero-knowledge arguments. In this note we consider weaker, super-polynomial-time simulation (SPS), notions of zero-knowledge. We present barriers to using black-box reductions for demonstrating soundness of 2-message protocols with efficient prover strategies satisfying SPS zero-knowledge. More precisely, we show that assuming the existence of poly(T (n))-hard one-way functions, the following holds: • For sub-exponential (or smaller) T (·), polynomial-time black-box reductions cannot be used to prove soundness of 2-message T (·)-simulatable arguments based on any polynomialtime intractability assumption. This matches known 2-message quasi-polynomial-time simulatable arguments using a quasi-polynomial-time reduction (Pass’03), and 2-message exponential-time simulatable proofs using a polynomial-time reduction (Dwork-Naor’00, Pass’03). • poly(T (·))-time black-box reductions cannot be used to prove soundness of 2-message strong T (·)-simulatable (efficient prover) arguments based on any poly(T (·))-time intractability assumption; strong T (·)-simulatability means that the output of the simulator is indistinguishable also for poly(T (·))-size circuits. This matches known 3-message strong quasi-polynomial-time simulatable proofs (Blum’86, Canetti et al’ 00). ∗Cornell University. {chung,luied,mohammad,rafael}@cs.cornell.edu Chung is supported in part by a Simon’s Foundation postdoctoral fellowship. Pass is supported in part by a Alfred P. Sloan Fellowship, Microsoft New Faculty Fellowship, NSF Award CNS1217821, NSF CAREER Award CCF-0746990, NSF Award CCF-1214844, AFOSR YIP Award FA9550-10-1-0093, and DARPA and AFRL under contract FA8750-11-20211. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.