## Strong Proofs of Knowledge

### Cached

### Download Links

### BibTeX

@MISC{Goldreich_strongproofs,

author = {Oded Goldreich},

title = {Strong Proofs of Knowledge},

year = {}

}

### OpenURL

### Abstract

Abstract. The concept of proofs-of-knowledge, introduced in the seminal paper of Goldwasser, Micali and Rackoff, plays a central role in various cryptographic applications. An adequate formulation, which enables modular applications of proofs of knowledge inside other protocols, was presented by Bellare and Goldreich. However, this formulation depends in an essential way on the notion of expected (rather than worst-case) running-time. Here we present a seemingly more restricted notion that maintains the main feature of the prior definition while referring only to machines that run in strict probabilistic polynomial-time (rather than to expected polynomial-time). Keywords: Proof of Knowledge, Zero-Knowledge This work was completed in May 1998, and was integrated in the author’s work Foundation of Cryptography as [7, Sec. 4.7.6]. The current revision is intentionally minimal. 1

### Citations

1032 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...n of Cryptography as [7, Sec. 4.7.6]. The current revision is intentionally minimal. 1 Introduction The reader is referred to [3] for a discussion of the intuitive notion of a proof-ofknowledge (cf., =-=[11]-=-), and the previous attempts to define it [4, 13], cumlinating in the definition presented in [3]. We also assume that the reader is familiar with the definition given in [3]. The definition given in ... |

374 | Proofs that Yield Nothing But Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems - Goldreich, Micali, et al. - 1991 |

310 |
Zero Knowledge Proofs of Identity
- Feige, Fiat, et al.
- 1987
(Show Context)
Citation Context ...ent revision is intentionally minimal. 1 Introduction The reader is referred to [3] for a discussion of the intuitive notion of a proof-ofknowledge (cf., [11]), and the previous attempts to define it =-=[4, 13]-=-, cumlinating in the definition presented in [3]. We also assume that the reader is familiar with the definition given in [3]. The definition given in [3] relies in a fundamental way on the notion of ... |

271 | Foundations of Cryptography: Basic Tools - Goldreich - 2001 |

139 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...s completed in May 1998, and was integrated in the author’s work Foundation of Cryptography as [7, Sec. 4.7.6]. The current revision is intentionally minimal. 1 Introduction The reader is referred to =-=[3]-=- for a discussion of the intuitive notion of a proof-ofknowledge (cf., [11]), and the previous attempts to define it [4, 13], cumlinating in the definition presented in [3]. We also assume that the re... |

111 | Foundations of Cryptography: Basic Applications, volume 2 - Goldreich - 2004 |

102 | Zero-Knowledge Proofs of Knowledge in Two Rounds - Feige, Shamir - 1989 |

75 |
Random self-reducibility and zero knowledge interactive proofs of possession of information
- Tompa, Woll
- 1987
(Show Context)
Citation Context ...ent revision is intentionally minimal. 1 Introduction The reader is referred to [3] for a discussion of the intuitive notion of a proof-ofknowledge (cf., [11]), and the previous attempts to define it =-=[4, 13]-=-, cumlinating in the definition presented in [3]. We also assume that the reader is familiar with the definition given in [3]. The definition given in [3] relies in a fundamental way on the notion of ... |

43 | Strict Polynomial-time in Simulation and Extraction
- Barak, Lindell
(Show Context)
Citation Context ...ve machine P such that for every (x, y) ∈ R all possible interactions of V with P on common-input x and auxiliary-input y are accepting. – Strong Validity: There exists a negligible function µ : N ↦→ =-=[0, 1]-=- and a probabilistic (strict) polynomial-time oracle machine K such that for every strategy P and every x, y, r ∈ {0, 1} ∗ , machine K satisfies the following condition: Let Px,y,r be a prover strateg... |

32 | Lower bounds for non-black-box zero knowledge
- Barak, Lindell, et al.
- 2003
(Show Context)
Citation Context ...the original text. Regarding our conjecture that there exist proofs-of-knowledge that are not strong proofs-of-knowledge, partial evidence is provided by subsequent work of Barak, Lindell, and Vadhan =-=[1, 2]-=-. Both work refer to constant-round zeroknowledge protocols (for sets outside BPP), and the seperation relies on the existence of such protocols (under standard computational assumptions) that are (or... |

9 |
On expected probabilistic polynomial-time adversaries: A suggestion for restricted definitions and their benefits
- Goldreich
(Show Context)
Citation Context ...h more convinient to work (i.e., to compose) strict polynomial-time computations rather than expected polynomial-time ones. (For further discussion of this issue, the interested reader is directed to =-=[9]-=-.)14 Unfortunately, there seems to be a loss in going from ordinary proofs of knowledge to strong ones: Not all proofs of knowledge are known to be strong proofs of knowledge. Furthermore, we conject... |

8 |
Secure Multi-Party Computation. Unpublished manuscript
- Goldreich
- 1998
(Show Context)
Citation Context ...efinition given in [3]. The definition given in [3] relies in a fundamental way on the notion of expected running-time. Throughout the years we remained bothered by this feature, and while working on =-=[6]-=- we decided to look for an alternative. Specifically, we present a more stringent definition in which the knowledge extractor is required to run in strict polynomial-time (rather than in expected poly... |

2 | Constant round zero knowledge proofs of knowledge. 2010. http: //eprint.iacr.org/2010/487.pdf - Lindell |