Results 1  10
of
17
NonTransitive Transfer of Confidence: A Perfect ZeroKnowledge Interactive Protocol for SAT and Beyond
, 1986
"... A perfect zeroknowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any prob ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
A perfect zeroknowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any problem in NP (and beyond). The fact that our protocol is perfect zeroknowledge does not depend on unproved cryptographic assumptions. Furthermore, our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trapdoor information, she can convince Bob as well, without compromising the trapdoor in any way. This results in a nontransitive transfer of confidence from Alice to Bob, because Bob will not be able to convince anyone else afterwards. Our protocol is dual to those of [GrMiWi86a, BrCr86]. 1. INTRODUCTION Assume that Alice h...
ConstantRound Perfect ZeroKnowledge Computationally Convincing Protocols
, 1991
"... A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. An important measure of efficiency for these protocols is the number of rounds in the interaction. In previously known perfect zeroknowledge protocols for statements concerning NPcomplete problems [BCC], at least k rounds were necessary in order to prevent one party from having a probability of undetected cheating greater than 2 \Gammak . In this paper, we give the first perfect zeroknowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds. The protocol is computationally convincing (rather than statistically convincing as would have been an interactive proofsystem in the sense of Goldwasser, Micali and Rackoff) because the ver...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and th ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
ZeroKnowledge Simulation of Boolean Circuits
, 1987
"... A zeroknowledge interactive proof is a protocol by which Alice can convince a polynomiallybounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed. Under cryptographic assumptions, we give a general technique for achieving this goal for any problem in ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
A zeroknowledge interactive proof is a protocol by which Alice can convince a polynomiallybounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed. Under cryptographic assumptions, we give a general technique for achieving this goal for any problem in NP. This extends to a presumably larger class, which combines the powers of nondeterminism and randomness. Our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trapdoor information, she can convince Bob as well, without compromising the trapdoor in any way. 1. INTRODUCTION The notion of zeroknowledge interactive proofs (ZKIP) introduced a few years ago by Goldwasser, Micali and Rackoff [GwMiRac85] has become a very active research area. Assume that Alice holds the proof of some theorem. A zeroknowledge interactive pr...
Everything in NP can be argued in perfect zeroknowledge in a bounded number of rounds
, 1989
"... A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. An important measure of efficiency for these protocols is the number of rounds in the interaction. In previously known perfect zeroknowledge protocols for statements concerning NPcomplete problems [BCC], at least k rounds were necessary in order to prevent one party from having a probability of undetected cheating greater than 2 k . In this paper, we give the first perfect zeroknowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is possible to find a prime p with known factorization of p 1 such that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors o...
Practical ZeroKnowledge Proofs: Giving Hints and Using Deficiencies
 JOURNAL OF CRYPTOLOGY
, 1994
"... New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial t ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial time prover with the appropriate trapdoor knowledge is sufficient. The proofs are perfect or statistical zeroknowledge in all cases except one.
How to Prove All NP Statements in ZeroKnowledge and a Methodology of Cryptographic Protocol Design (Extended Abstract)
 PROC. OF CRYPTO 1986, THE 6TH ANN. INTL. CRYPTOLOGY CONF., VOLUME 263 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1998
"... ..."
Proofs of Knowledge for NonMonotone DiscreteLog Formulae and Applications
 Information Security (ISC 2002), volume 2433 of LNCS
, 2002
"... This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiationbased formulae. ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiationbased formulae.
Subquadratic ZeroKnowledge
, 1995
"... We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \G ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zeroknowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...
Sorting Out ZeroKnowledge
, 1990
"... this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these tw ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these two notions are often thought to be inseparable. This confusion is reminiscent of the long lasting confusion among many people between publickey encryption and digital signature. It is clear that interactive proofs make sense independently of zeroknowledge (after all, Babai's ArthurMerlin games [Ba] were invented independently of [GMR1]), but it is more subtle to see that a protocol could be zeroknowledge without being an interactive