Results 1  10
of
19
The knowledge complexity of interactive proof systems
 in Proc. 27th Annual Symposium on Foundations of Computer Science
, 1985
"... Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltoni ..."
Abstract

Cited by 1272 (42 self)
 Add to MetaCart
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable. Key words, cryptography, zero knowledge, interactive proofs, quadratic residues AMS(MOS) subject classifications. 68Q15, 94A60 1. Introduction. It is often regarded that saying a language L is in NP (that is, acceptable in nondeterministic polynomial time) is equivalent to saying that there is a polynomial time "proof system " for L. The proof system we have in mind is one where on input x, a "prover " creates a string a, and the "verifier " then computes on x and a in time polynomial in the length of the binary representation of x to check that
The NPcompleteness column: an ongoing guide
 JOURNAL OF ALGORITHMS
, 1987
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book "Computers and Intractability: A Guide to the Theory of NPCompleteness," W. H. Freem ..."
Abstract

Cited by 243 (0 self)
 Add to MetaCart
(Show Context)
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book "Computers and Intractability: A Guide to the Theory of NPCompleteness," W. H. Freeman & Co., New York, 1979 (hereinafter referred to as "[G&J]"; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
Definitions And Properties Of ZeroKnowledge Proof Systems
 Journal of Cryptology
, 1994
"... In this paper we investigate some properties of zeroknowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zeroknowledge: auxiliary \Gamma input zeroknowledge and blackbox \Gamma simulation zeroknowledge. We explain why auxiliaryinp ..."
Abstract

Cited by 134 (10 self)
 Add to MetaCart
(Show Context)
In this paper we investigate some properties of zeroknowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zeroknowledge: auxiliary \Gamma input zeroknowledge and blackbox \Gamma simulation zeroknowledge. We explain why auxiliaryinput zeroknowledge is a definition more suitable for cryptographic applications than the original [GMR1] definition. In particular, we show that any protocol solely composed of subprotocols which are auxiliaryinput zeroknowledge is itself auxiliaryinput zeroknowledge. We show that blackboxsimulation zeroknowledge implies auxiliaryinput zeroknowledge (which in turn implies the [GMR1] definition). We argue that all known zeroknowledge proofs are in fact blackboxsimulation zeroknowledge (i.e., were proved zeroknowledge using blackboxsimulation of the verifier). As a result, all known zeroknowledge proof systems are shown to be auxiliaryinput zeroknowledge and can be used for cryptographic applications such as those in [GMW2]. We demonstrate the triviality of certain classes of zeroknowledge proof systems, in the sense that only languages in BPP have zeroknowledge proofs of these classes. In particular, we show that any language having a Las Vegas zeroknowledge proof system necessarily belongs to RP . We show that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of (nontrivial) auxiliaryinput zeroknowledge proofs.
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 53 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
A Complete Promise Problem for Statistical ZeroKnowledge
 In Proceedings of the 38th Annual Symposium on the Foundations of Computer Science
, 1997
"... We present a complete promise problem for SZK, the class of languages possessing statistical zeroknowledge proofs (against an honest verifier). The problem is to decide whether two efficiently samplable distributions are either statistically close or far apart. This characterizes SZK with no refer ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
(Show Context)
We present a complete promise problem for SZK, the class of languages possessing statistical zeroknowledge proofs (against an honest verifier). The problem is to decide whether two efficiently samplable distributions are either statistically close or far apart. This characterizes SZK with no reference to interaction or zeroknowledge. From this theorem and its proof, we are able to establish several other results about SZK, knowledge complexity, and efficiently samplable distributions. 1 Introduction A revolution in theoretical computer science occurred when it was discovered that NP has complete problems [11, 24, 23]. Most often, this theorem and other completeness results are viewed as negative statements, as they provide evidence of a problem's intractability. These same results, viewed as positive statements, enable one to study an entire class of problems by focusing on a single problem. For example, all languages in NP were shown to have computational zeroknowledge proofs wh...
Perfect nizk with adaptive soundness
 In proceedings of TCC ’07, LNCS series
, 2007
"... Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an apriori bound on its size. In this work, we first present a very simple and efficient adaptivelysound perfect NIZK argument system for any NPlanguage. Besides being the first adaptivelysound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to reuse the CRS, it can handle arithmetic circuits, and the CRS can be setup very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NPreductions. The security of the proposed schemes is based on a strong nonstandard assumption, an extended version of the socalled KnowledgeofExponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonlyused approach for proving NIZK arguments sound does not allow for adaptivelysound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the nonstandard assumption in a preprocessing model.
On the Knowledge Complexity of ...
 In 37th FOCS
, 1996
"... We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, ther ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
(Show Context)
We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, there was no indication that would contradict NP languages being proven with even one bit of knowledge. Our result is a common generalization of two previous results: The rst asserts that statistical zero knowledge is contained in AM \ co AM [F89, AH91], while the second asserts that the languages recognizable in logarithmic statistical knowledge complexity are in BPP NP [GOP94]. Next, we consider the relation between the error probability and the knowledge complexity of an interactive proof. Note that reducing the error probability via repetition is not free: it may increase the knowledge complexity. We show that if the negligible error probability (n) is less than 2 3k(n) (where k(n) is the knowledge complexity) then the language proven is in the third level of the polynomial time hierarchy (specically, it is in AM NP . In the standard setting of negligible error probability, there exist PSPACEcomplete languages which have sublinear knowledge complexity. However, if we insist, for example, that the error probability is less than 2 n 2 , then PSPACEcomplete languages do not have subquadratic knowledge complexity, unless PSPACE= P 3 . In order to prove our main result, we develop an AM protocol for checking that a samplable distribution D has a given entropy h. For any fractions ; , the verier runs in time polynomial in 1= and log(1=) and fails with probability at most to detect an additive error in the entropy. We believe that this ...
Sorting Out ZeroKnowledge
, 1990
"... this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these tw ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these two notions are often thought to be inseparable. This confusion is reminiscent of the long lasting confusion among many people between publickey encryption and digital signature. It is clear that interactive proofs make sense independently of zeroknowledge (after all, Babai's ArthurMerlin games [Ba] were invented independently of [GMR1]), but it is more subtle to see that a protocol could be zeroknowledge without being an interactive
Probabilistic Proof Systems  A Survey
 IN SYMPOSIUM ON THEORETICAL ASPECTS OF COMPUTER SCIENCE
, 1996
"... Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems  interactive proofs, zeroknowledge proofs, and probabilistic checkable proofs  stressing the essen ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems  interactive proofs, zeroknowledge proofs, and probabilistic checkable proofs  stressing the essential role of randomness in each of them.