Non-Trivial Zero-Knowledge Implies One-Way Functions

TL;DR

This paper shows that non-trivial zero-knowledge protocols, even with high error rates, imply the existence of one-way functions, advancing the understanding of the connection between zero-knowledge and cryptographic primitives.

Contribution

It characterizes one-way functions from the worst-case complexity of high-error zero-knowledge protocols, extending previous results to broader error regimes and interactive settings.

Findings

Non-trivial NIZK implies OWFs under standard assumptions.

Generalization to interactive zero-knowledge arguments with constant rounds.

Closes the gap in error regimes where previous results did not apply.

Abstract

A recent breakthrough [Hirahara and Nanashima, STOC'2024] established that if $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$, the existence of zero-knowledge with negligible errors for $\mathsf{NP}$ implies the existence of one-way functions (OWFs). In this work, we obtain a characterization of one-way functions from the worst-case complexity of zero-knowledge {\em in the high-error regime}. We say that a zero-knowledge argument is {\em non-trivial} if the sum of its completeness, soundness and zero-knowledge errors is bounded away from $1$. Our results are as follows, assuming $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$: 1. {\em Non-trivial} Non-Interactive ZK (NIZK) arguments for $\mathsf{NP}$ imply the existence of OWFs. Using known amplification techniques, this result also provides an unconditional transformation from weak to standard NIZK proofs for all meaningful error parameters. 2. We also generalize to the interactive setting: {\em Non-trivial} constant-round public-coin zero-knowledge arguments for $\mathsf{NP}$ imply the existence of OWFs, and therefore also (standard) four-message zero-knowledge arguments for $\mathsf{NP}$. Prior to this work, one-way functions could be obtained from NIZKs that had constant zero-knowledge error $\epsilon_{zk}$ and soundness error $\epsilon_{s}$ satisfying $\epsilon_{zk} + \sqrt{\epsilon_{s}} < 1$ [Chakraborty, Hulett and Khurana, CRYPTO'2025]. However, the regime where $\epsilon_{zk} + \sqrt{\epsilon_{s}} \geq 1$ remained open. This work closes the gap, and obtains new implications in the interactive setting. Our results and techniques could be useful stepping stones in the quest to construct one-way functions from worst-case hardness.