Abstract

Abstract. The concept of proofs-of-knowledge, introduced in the seminal paper of Goldwasser, Micali and Rackoff, plays a central role in various cryptographic applications. An adequate formulation, which enables modular applications of proofs of knowledge inside other protocols, was presented by Bellare and Goldreich. However, this formulation depends in an essential way on the notion of expected (rather than worst-case) running-time. Here we present a seemingly more restricted notion that maintains the main feature of the prior definition while referring only to machines that run in strict probabilistic polynomial-time (rather than to expected polynomial-time). Keywords: Proof of Knowledge, Zero-Knowledge This work was completed in May 1998, and was integrated in the author’s work Foundation of Cryptography as [7, Sec. 4.7.6]. The current revision is intentionally minimal. 1

Citations