Skip to main content

Characterizing Deterministic-Prover Zero Knowledge

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12550)


Randomness is typically thought to be essential for zero knowledge protocols. Following this intuition, Goldreich and Oren (Journal of Cryptology 94) proved that auxiliary-input zero knowledge cannot be achieved with a deterministic prover. On the other hand, positive results are only known in the honest-verifier setting, or when the prover is given at least a restricted source of entropy. We prove that removing (or just bounding) the verifier’s auxiliary input, deterministic-prover zero knowledge becomes feasible:

  • Assuming non-interactive witness-indistinguishable proofs and subexponential indistinguishability obfuscation and one-way functions, we construct deterministic-prover zero-knowledge arguments for against verifiers with bounded non-uniform auxiliary input.

  • Assuming also keyless hash functions that are collision-resistant against bounded-auxiliary-input quasipolynomial-time attackers, we construct similar arguments for all of .

Together with the result of Goldreich and Oren, this characterizes when deterministic-prover zero knowledge is feasible. We also demonstrate the necessity of strong assumptions, by showing that deterministic prover zero knowledge arguments for a given language imply witness encryption for that language. We further prove that such arguments can always be collapsed to two messages and be made laconic. These implications rely on a more general connection with the notion of predictable arguments by Faonio, Nielsen, and Venturi (PKC 17).

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64375-1_19
  • Chapter length: 32 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-64375-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.


  1. 1.

    Indistinguishability obfuscation implies non-interactive witness indistinguishable proofs, but with a randomized verifier [8], which is insufficient for our purpose. The verifier can be derandomized under a worst-case Nisan-Wigderson [21] type derandomization assumption [9]. Non-interactive witness indistinguishable proofs with a deterministic verifier are also known from standard assumptions on bilinear maps [19].

  2. 2.

    Here we implicitly rely on the fact that the simulator produces an accepting transcript for the deterministic verifier . The deterministic nature of the verifier ensures that the simulator cannot manipulate the verifier’s randomness and therefore must produce an accepting transcript is consistent with .

  3. 3.

    Only zero-knowledge against honestly behaving verifiers.


  1. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press (October 2001)

    Google Scholar 

  2. Barak, B., Ong, S.J., Vadhan, S.: Derandomization in cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 299–315. Springer, Heidelberg (2003).

    CrossRef  MATH  Google Scholar 

  3. Barak, B., Pass, R.: On the possibility of one-message weak zero-knowledge. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 121–132. Springer, Heidelberg (2004).

    CrossRef  MATH  Google Scholar 

  4. Bellare, M., Impagliazzo, R., Naor, M.: Does parallel repetition lower the error in computationally sound protocols? In: 38th FOCS, pp. 374–383. IEEE Computer Society Press (October 1997)

    Google Scholar 

  5. Bitansky, N., et al.: Indistinguishability obfuscation for RAM programs and succinct randomized encodings. SIAM J. Comput. 47(3), 1123–1210 (2018)

    MathSciNet  CrossRef  Google Scholar 

  6. Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 505–514. ACM Press (May/June 2014)

    Google Scholar 

  7. Bitansky, N., Khurana, D., Paneth, O.: Weak zero-knowledge beyond the black-box barrier. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1091–1102. ACM Press (June 2019)

    Google Scholar 

  8. Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015).

    CrossRef  MATH  Google Scholar 

  9. Bitansky, N., Vaikuntanathan, V.: A note on perfect correctness by derandomization. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 592–606. Springer, Cham (2017).

    CrossRef  Google Scholar 

  10. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002).

    CrossRef  Google Scholar 

  11. Dahari, H., Lindell, Y.: Deterministic-prover zero-knowledge proofs. Cryptology ePrint Archive, Report 2020/141 (2020).

  12. Faonio, A., Nielsen, J.B., Venturi, D.: Predictable arguments of knowledge. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 121–150. Springer, Heidelberg (2017).

    CrossRef  Google Scholar 

  13. Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 467–476. ACM Press (June 2013)

    Google Scholar 

  14. Garg, S., Srinivasan, A.: A simple construction of iO for turing machines. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 425–454. Springer, Cham (2018).

    CrossRef  MATH  Google Scholar 

  15. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)

    MathSciNet  CrossRef  Google Scholar 

  16. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)

    MathSciNet  CrossRef  Google Scholar 

  17. Goldreich, O., Vadhan, S., Wigderson, A.: On interactive proofs with a laconic prover. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 334–345. Springer, Heidelberg (2001).

    CrossRef  Google Scholar 

  18. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    MathSciNet  CrossRef  Google Scholar 

  19. Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006).

    CrossRef  Google Scholar 

  20. Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 419–428. ACM Press (June 2015)

    Google Scholar 

  21. Nisan, N., Wigderson, A.: Hardness vs randomness. J. Comput. Syst. Sci. 49(2), 149–167 (1994)

    MathSciNet  CrossRef  Google Scholar 

Download references


Nir Bitansky is a member of the Check Point Institute of Information Security. Supported by the Alon Young Faculty Fellowship, by Len Blavatnik and the Blavatnik Family foundation, and an ISF grant 18/484.

This work was done in part when Arka Rai Choudhuri was visiting Tel Aviv University and supported by the Check Point Institute of Information Security. He is also supported in part by DARPA/ARL Safeware Grant W911NF-15-C-0213, NSF Grants CNS-1908181, CNS-1414023, CNS-1814919, NSF CAREER 1942789, Samsung Global Research Outreach award, Johns Hopkins University Catalyst award and the Office of Naval Research Grant N00014-19-1-2294.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Arka Rai Choudhuri .

Editor information

Editors and Affiliations

A Predictable Arguments from Honest-Verifier ZK

A Predictable Arguments from Honest-Verifier ZK

In Sect. 4, we showed how to transform any deterministic-prover zero-knowledge (DPZK) protocol into one that is also a predictable argument (PA). In this section, we show that if we start with a weaker notion of deterministic-prover honest verifier zero-knowledge (DP-HVZK)Footnote 3 and the existence of an appropriate hard language, we can transform the DP-HVZK protocol into a predictable argument. One caveat of this transformation is that the languages of the DP-HVZK and PA in our transformation will be related, but not identical. As long as the DP-HVZK we start from is for an expressive enough class of languages (e.g. for ), we will get a PA for the same class.

Definition 13

(Hard-on-Average Language). A language \(\mathcal {L}\) is hard-on-average if there exist two \(\mathsf {PPT}\) samplers \(Y_{\mathcal {L}},N_{\mathcal {L}}\) where the support of the first is \(\mathcal {L}\) and of the second is \(\{0,1\}^*\setminus \mathcal {L}\) such that

We establish the following theorem.

Theorem 6

If there exists a deterministic-prover honest-verifier zero-knowledge argument (DP-HVZK) for \(\mathcal {L} \vee \mathcal {L}_\mathsf {hard}\), where \(\mathcal {L}_\mathsf {hard}\) is a hard-on-average language, then there exists a predictable argument (PA) for \(\mathcal {L}\).

By the fact that both and are closed under OR, we deduce the following corollaries.

Corollary 4

Assuming DP-HVZK for all of and hard-on-average languages in , there is a witness encryption scheme for all of .

Corollary 5

Assuming DP-HVZK for all of and hard-on-average languages in , there is a witness encryption scheme for all of .

We note that hard-on-average languages in are known to follow from one-way functions, and hard-on-average languages in are known to follow from one-way permutations.

We now proceed with the proof.

Proof of Theorem 6. To build a predictable argument for \(\mathcal {L}\), we use the following primitives:

  • A hard language \(\mathcal {L}_\mathsf {hard}\) given by samplers \((Y_{\mathcal {L}_\mathsf {hard}},N_{\mathcal {L}_\mathsf {hard}})\).

  • A \(\rho \)-round DP-HVZK protocol for the language \(\mathcal {L}_{OR}\) defined below, where the verifier sends messages \(v_i\) in round i, and the prover \(\mathsf {P}'\) sends message \(p_i\) in round i. We denote by \(\mathsf {Sim}'\) the corresponding honest-verifier simulator. The language \(\mathcal {L}_{OR}\) is defined below,

    $$ \mathcal {L}_{OR} = \left\{ ~ (x,\widetilde{x}) ~\Big \vert ~ \exists (w,\widetilde{w}) \text { s.t. } R_{\mathcal {L}}(x,w)=1 \text { OR } R_{\mathcal {L}_\mathsf {hard}}(\widetilde{x},\widetilde{w})=1 ~\right\} , $$

    namely, either the statement x is in \(\mathcal {L}\), or \(\widetilde{x}\) is in \(\mathcal {L}_\mathsf {hard}\).

The transformation is presented in Fig. 7.

Before we proceed with the completeness and soundness, we note that the protocol structure follows that of a predictable argument.

Completeness. We show that is complete based on the honest verifier zero-knowledge property of .

Fix any \(x \in \mathcal {L}\) and the corresponding witness w, a yes-instance \(\widetilde{x} \in \mathcal {L}_{\mathsf {hard}}\), and let \(x' = (x,\widetilde{x})\). Let \(\widetilde{\mathsf {p}}_1,\dots ,\widetilde{\mathsf {p}}_\rho \) denote the messages and \(\widetilde{r}\) denote the verifier randomness simulated by \(\mathsf {Sim}'(x')\). We argue that the deterministic prover \(\mathsf {P}(x,w)\) produces messages \(\left\{ \mathsf {p}_i= \widetilde{\mathsf {p}}_i \right\} _{i=1}^\rho \) with overwhelming probability (over the coins of \(\mathsf {Sim}'\)). This follows from zero knowledge. Consider a distinguisher that has (xw) hardwired, and given messages \({\mathsf {p}}_i\) and verifier randomness \(\widetilde{r}\) emulates a conversation of the deterministic \(\mathsf {P}'(x,w)\) with , and outputs “real” if the corresponding prover messages coincide with \({\mathsf {p}}_i\), or “simulated” otherwise. If the simulated messages \(\widetilde{\mathsf {p}}_i\) are inconsistent with the real prover messages \({\mathsf {p}}_i\), the distinguisher will tell them apart.

Soundness. We show that is sound based on the completeness, soundness and zero knowledge of , as well as the hardness of \(\mathcal {L}_\mathsf {hard}\).

Fig. 7.
figure 7

Transforming DP-HVZK to PA

Fix any \(x\notin \mathcal {L}\) and cheating prover \(\mathsf {P}^*\). We prove that \(\mathsf {P}^*\) fails to convince of accepting, except with negligible probability. We consider several hybrid experiments transitioning from a real interaction to an ideal interaction. We will show that when moving from one hybrid to the next the prover’s chance of convincing the verifier does not decrease by more than a negligible amount. Then we will show that the chance that is convinced the final (ideal interaction) hybrid is negligible.

  • \(\mathsf {Hyb}_0\): This is a real interaction between \(\mathsf {P}^*\) and .

  • \(\mathsf {Hyb}_1\): In this hybrid, once samples a simulated transcript \(\widetilde{\mathsf {p}}_1,\dots ,\widetilde{\mathsf {p}}_\rho ,\widetilde{r}\) , it emulates an execution of with the simulated prover messages and checks whether it is accepting. If it is not, rejects immediately.

    We argue that the probability that \(\mathsf {P}^*\) convinces to accept in this hybrid is negligibly close to that in \(\mathsf {Hyb}_0\). For this purpose, we argue that with overwhelming probability \(\mathsf {Sim}(x')\) samples an accepting transcript. This is shown based on completeness and zero knowledge of . Specifically, recall that samples \(\widetilde{x}\in \mathcal {L}_\mathsf {hard}\) and thus \(x'=(x,\widetilde{x})\in \mathcal {L}_{OR}\). By the completeness of , in an interaction between and \(\mathsf {P}'(x',w')\) where \(w' = (\bot ,\widetilde{w})\) and \(\widetilde{w}\) is a witness for \(\widetilde{x}\), the prover convince with overwhelming probability. It then follows from zero knowledge of that \(\mathsf {Sim}(x')\) also generates an accepting transcript with overwhelming probability; otherwise, we can non-uniformly fix \(\widetilde{x},\widetilde{w}\) and construct a distinguisher that violates zero knowledge.

  • \(\mathsf {Hyb}_2\): In this hybrid, the verifier does not insist that the prover \(\mathsf {P}^*\) is consistent with the simulated messages \(\widetilde{\mathsf {p}}_1,\dots ,\widetilde{\mathsf {p}}_\rho \). Instead, it emulates , and accepts if the messages sent by \(\mathsf {P}^*\) convince .

    The probability that accepts in this hybrid is at least as large as the probability it accepts in \(\mathsf {Hyb}_1\). Indeed, any execution that would have been accepted in the previous hybrid \(\mathsf {Hyb}_1\) is in particular an execution in which is convinced and thus is also accepted in the current \(\mathsf {Hyb}_2\).

  • \(\mathsf {Hyb}_3\): In this hybrid, the verifier does not check that the simulated \(\widetilde{\mathsf {p}}_1,\dots ,\widetilde{\mathsf {p}}_\rho ,\widetilde{r}\) make accept. (In particular, the simulated prover messages \(\widetilde{\mathsf {p}}_1,\dots ,\widetilde{\mathsf {p}}_\rho \) are ignored altogether, and only the simulated coins \(\widetilde{r}\) are used).

    The probability that accepts in this hybrid is at least as large as the probability it accepts in the previous hybrid, as we have only removed a verifier test.

  • \(\mathsf {Hyb}_4\): In this hybrid, instead of sampling simulated coins \(\widetilde{r}\) using \(\mathsf {Sim}'(x')\), samples truly random coins r.

    The probability that accepts in this hybrids is negligibly close to that in the previous hybrid. This follows from zero knowledge of . Indeed, since \(x'\in \mathcal {L}_{OR}\), the simulated honest verifier coins \(\widetilde{r}\) are pseudorandom.

  • \(\mathsf {Hyb}_5\): In this hybrid, samples a no-instance \(\widetilde{x} \leftarrow N_{\mathcal {L}_\mathsf {hard}}\) instead of a yes-instance. By the indistinguishability of \(Y_{\mathcal {L}_\mathsf {hard}}\) and \(N_{\mathcal {L}_\mathsf {hard}}\), the probability that \(\mathsf {P}^*\) convinces to accept in this hybrid is negligibly close to that in \(\mathsf {Hyb}_4\).

We now argue that the probability that \(\mathsf {P}^*\) convinces to accept in \(\mathsf {Hyb}_5\) is negligible. Note that in \(\mathsf {Hyb}_5\) it holds that both \(x\notin \mathcal {L}\) and \(\widetilde{x}\notin \mathcal {L}_\mathsf {hard}\) and thus \(x'=(x,\widetilde{x})\notin \mathcal {L}_{OR}\). For \(\mathsf {P}^*\) to convince of accepting in \(\mathsf {Hyb}_5\), it must convince of accepting, when uses truly random coins. By the soundness of this occurs with negligible probability. Soundness follows.    \(\square \)

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bitansky, N., Choudhuri, A.R. (2020). Characterizing Deterministic-Prover Zero Knowledge. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12550. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64374-4

  • Online ISBN: 978-3-030-64375-1

  • eBook Packages: Computer ScienceComputer Science (R0)