A perfect zero-knowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any problem in NP (and beyond). The fact that our protocol is perfect zero-knowledge does not depend on unproved cryptographic assumptions. Furthermore, our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trap-door information, she can convince Bob as well, without compromising the trap-door in any way. This results in a non-transitive transfer of confidence from Alice to Bob, because Bob will not be able to convince anyone else afterwards. Our protocol is dual to those of [GrMiWi86a, BrCr86]. 1. INTRODUCTION Assume that Alice h...

A perfect zero-knowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. An important measure of efficiency for these protocols is the number of rounds in the interaction. In previously known perfect zero-knowledge protocols for statements concerning NP--complete problems [BCC], at least k rounds were necessary in order to prevent one party from having a probability of undetected cheating greater than 2 \Gammak . In this paper, we give the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds. The protocol is computationally convincing (rather than statistically convincing as would have been an interactive proof--system in the sense of Goldwasser, Micali and Rackoff) because the ver...

"Zero-knowledge arguments" is a fundamental cryptographic primitive which allows one polynomial-time player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information in the information-theoretic sense. Despite their practical and theoretical importance, it was only known how to implement zero-knowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any one-way permutation. We stress that our scheme is efficient: both players can execute only polynomial-time programs during the protocol. Moreover, the security achieved is on-line: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption on-line during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...

A zero-knowledge interactive proof is a protocol by which Alice can convince a polynomially-bounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed. Under cryptographic assumptions, we give a general technique for achieving this goal for any problem in NP. This extends to a presumably larger class, which combines the powers of non-determinism and randomness. Our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trap-door information, she can convince Bob as well, without compromising the trap-door in any way. 1. INTRODUCTION The notion of zero-knowledge interactive proofs (ZKIP) introduced a few years ago by Goldwasser, Micali and Rackoff [GwMiRac85] has become a very active research area. Assume that Alice holds the proof of some theorem. A zero-knowledge interactive pr...

A perfect zero-knowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. An important measure of efficiency for these protocols is the number of rounds in the interaction. In previously known perfect zeroknowledge protocols for statements concerning NP-complete problems [BCC], at least k rounds were necessary in order to prevent one party from having a probability of undetected cheating greater than 2 -k . In this paper, we give the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is possible to find a prime p with known factorization of p -1 such that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors o...

New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be super-polynomial in power. A probabilistic polynomial time prover with the appropriate trap-door knowledge is sufficient. The proofs are perfect or statistical zero-knowledge in all cases except one. 1 Introduction Many researchers have studied zero-knowledge proofs and the classes of problems which have such zero-knowledge proofs. Little attention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero-knowledge proofs [19], [8], [10]. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or to an NP-complete p...

Oded Goldreich Dept. of Computer Sc.

This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae.

We improve on the communication complexity of zero-knowledge proof systems. Let C be a boolean circuit of size n. Previous zero-knowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zero-knowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...

) David Chaum 1 Amos Fiat 2 Moni Naor 3 1 Center for Mathematics and Computer Science Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 2 Tel-Aviv University Tel-Aviv, Israel 3 IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 Introduction The use of credit cards today is an act of faith on the part of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance. Paper cash is considered to have a significant advantage over credit cards with respect to privacy, although the serial numbers on cash make it traceable in principle. Chaum has introduced unconditionally untraceable electronic money([C85] and [C88]). But what is to prevent anyone from making several copies of an electronic coin and using them at different shops? On-line clearing is one possible solution though a rather expensive y Work done while the second and third authors were at the University of California at Berkele...