Non-Trivial Zero-Knowledge Implies One-Way Functions

A recent breakthrough [Hirahara and Nanashima, STOC'2024] established that if $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$, the existence of zero-knowledge with negligible errors for $\mathsf{NP}$ implies the existence of one-way functions (OWFs). In this work, we obtain a characterization of one-way functions from the worst-case complexity of zero-knowledge {\em in the high-error regime}. We say that a zero-knowledge argument is {\em non-trivial} if the sum of its completeness, soundness and zero-knowledge errors is bounded away from $1$. Our results are as follows, assuming $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$: 1. {\em Non-trivial} Non-Interactive ZK (NIZK) arguments for $\mathsf{NP}$ imply the existence of OWFs. Using known amplification techniques, this result also provides an unconditional transformation from weak to standard NIZK proofs for all meaningful error parameters. 2. We also generalize to the interactive setting: {\em Non-trivial} constant-round public-coin zero-knowledge arguments for $\mathsf{NP}$ imply the existence of OWFs, and therefore also (standard) four-message zero-knowledge arguments for $\mathsf{NP}$. Prior to this work, one-way functions could be obtained from NIZKs that had constant zero-knowledge error $ε_{zk}$ and soundness error $ε_{s}$ satisfying $ε_{zk} + \sqrt{ε_{s}} < 1$ [Chakraborty, Hulett and Khurana, CRYPTO'2025]. However, the regime where $ε_{zk} + \sqrt{ε_{s}} \geq 1$ remained open. This work closes the gap, and obtains new implications in the interactive setting. Our results and techniques could be useful stepping stones in the quest to construct one-way functions from worst-case hardness.

💡 Research Summary

The paper addresses a fundamental question in cryptographic complexity: does the mere existence of “non‑trivial’’ zero‑knowledge (ZK) proofs—i.e., proofs whose completeness, soundness, and zero‑knowledge errors sum to a value bounded away from 1—already imply the existence of one‑way functions (OWFs)? Under the mild worst‑case hardness assumption that NP ⊄ ioP/poly, the authors answer affirmatively for both non‑interactive (NIZK) and interactive, constant‑round public‑coin ZK arguments.

Key definitions and assumptions

• A ZK argument is called non‑trivial if ε_c + ε_s + ε_zk ≤ 1 − 1/p(n) for some polynomial p, where ε_c, ε_s, ε_zk denote completeness, soundness, and zero‑knowledge errors respectively.
• The central complexity assumption is that NP is not contained infinitely often in P/poly (NP ⊄ ioP/poly). This is a standard worst‑case hardness hypothesis, weaker than average‑case hardness.

Main results

1. Non‑interactive case: If there exists a non‑trivial NIZK argument for any NP language, then OWFs exist. This improves over prior work (OW93, CHK25) which required stronger error constraints such as ε_s + 2ε_zk < 1 or ε_zk + 2√ε_s < 1.
2. Interactive public‑coin case: If there exists a non‑trivial constant‑round public‑coin ZK argument for NP, then OWFs exist. Moreover, the same conclusion holds for private‑coin protocols unless auxiliary‑input OWFs already exist; the authors show how to convert any constant‑round private‑coin protocol into a public‑coin one under the same assumption.
3. Amplification: The construction yields an unconditional transformation from weak (high‑error) NIZK proofs to standard NIZK proofs (with negligible errors) for all meaningful error parameters, without invoking any additional cryptographic primitives such as public‑key encryption.

Technical overview
The classic reductions of Ostrovsky‑Wigderson (1993) and Chakraborty‑Hulett‑Khurana (2025) rely on two complexity‑theoretic tools: Universal Extrapolation (UE) and Universal Approximation (UA). Both are known to be possible iff OWFs do not exist. Those works build a decision algorithm A that, using a simulated CRS and a real CRS, distinguishes language membership based on the acceptance probabilities of the verifier. Their analyses require that the error terms satisfy inequalities like ε_s + 2ε_zk < 1 or ε_zk + 2√ε_s < 1; otherwise, counter‑examples show that A gains no advantage.

The present paper circumvents these limitations by repetition and filtering rather than relying on UE/UA. The authors run the given ZK protocol independently k times, collect the k CRS‑proof pairs, and apply a majority‑vote or threshold filter to decide acceptance. Because each execution is independent, the overall soundness error becomes ε_s^k and the overall zero‑knowledge error becomes (1 − ε_zk)^k (or similar exponential decay). By choosing k large enough (polynomial in the security parameter), the combined error can be made arbitrarily small while still preserving the non‑triviality condition ε_c + ε_s + ε_zk < 1. Crucially, this method does not need UE or UA; it only uses basic probabilistic amplification, which is unconditional.

For interactive protocols, the authors first public‑coinify any private‑coin protocol using a standard transformation that replaces private randomness with a public seed (e.g., via a commitment to the seed). They then apply the same repetition‑filtering technique across the rounds. The analysis shows that, as long as the original protocol is non‑trivial, the amplified protocol achieves negligible errors, and the decision algorithm constructed from it can be turned into an OWF via the classic “hard language” argument: if OWFs did not exist, the amplified protocol would give a polynomial‑time algorithm that decides a language outside ioP/poly, contradicting the assumption.

Implications for amplification
Prior amplification results for NIZK (e.g., GJS19, BG24, AK25) required additional assumptions such as the existence of public‑key encryption or already‑existing OWFs. By showing that any non‑trivial NIZK already yields an OWF, the authors can invoke those amplification theorems unconditionally: the newly constructed OWF serves as the missing primitive, allowing the conversion of weak NIZK into standard NIZK. This yields a clean, assumption‑free pipeline:
non‑trivial NIZK → OWF (by this paper) → standard NIZK (by BG24/AK25).

Broader significance
The work dramatically lowers the bar for cryptographic primitives needed to obtain zero‑knowledge proofs for NP. It demonstrates that even “high‑error” ZK systems—potentially much easier to design—are already powerful enough to imply the existence of one‑way functions, a cornerstone of modern cryptography. Consequently, researchers can focus on constructing simple, high‑error ZK protocols without worrying about missing a fundamental hardness assumption; the paper guarantees that such constructions automatically give rise to OWFs.

Limitations and open questions

• The repetition technique inflates communication and round complexity; optimizing the trade‑off between error reduction and efficiency remains an open problem.
• The conversion from private‑coin to public‑coin protocols still assumes the non‑existence of auxiliary‑input OWFs; eliminating this residual assumption would further strengthen the result.
• Extending the analysis to statistical zero‑knowledge (rather than computational) or to settings with adaptive adversaries could be interesting future directions.

In summary, the paper provides a comprehensive and technically robust answer to the question of whether non‑trivial zero‑knowledge proofs imply one‑way functions. By introducing a simple yet powerful repetition‑based amplification framework, it closes the previously open error regime (ε_s + ε_zk < 1) and yields unconditional transformations from weak to standard zero‑knowledge, thereby deepening our understanding of the minimal complexity assumptions underlying cryptographic primitives.