Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P. Our results use no unproven complexity assumptions.

We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely...

The model of Non-Interactive Zero-Knowledge allows to obtain minimal interaction between prover and verifier in a zero-knowledge proof if a public random string is available to both parties. In this paper we investigate upper bounds for the length of the random string for proving one and many statements, obtaining the following results: -- We show how to prove in non-interactive perfect zero-knowledge any polynomial number of statements using a random string of fixed length, that is, not depending on the number of statements. Previously, such a result was known only in th...

We show how to construct a "zero-knowledge proof" that a circuit of size m is satisfiable. The proof is a string of length O(m lg m) which is constructed (and can be verified) using a trusted random string of length O(m lg m). The probability of failure or of cheating is exponentially small in a security parameter which is defined independently Supported in part by NSF Grant CCR-9207204. of the circuit size. Our methods assume that a Quadratic Residuosity Bit Commitment Scheme is available as a primitive and does not consider the cost of establishing this scheme, only the cost of using it. Thus, these "proofs" are essentially non-interactive zero-knowledge proofs, with a couple of changes to the standard definition, though they can easily be modified to fit the standard definition. The techniques used yield more efficient "proofs" than those previously known. 1 Introduction A non-interactive zero-knowledge proof system is a protocol that allows a prover to convince a verifier tha...

1.4 Simple XOR