## Minimum Resource Zero-Knowledge Proofs (1989)

### Cached

### Download Links

Venue: | In 30th Annual Symposium on Foundations of Computer Science |

Citations: | 27 - 3 self |

### BibTeX

@INPROCEEDINGS{Kilian89minimumresource,

author = {Joe Kilian and Silvio Micali and Rafail Ostrovsky},

title = {Minimum Resource Zero-Knowledge Proofs},

booktitle = {In 30th Annual Symposium on Foundations of Computer Science},

year = {1989},

pages = {474--479},

publisher = {IEEE}

}

### Years of Citing Articles

### OpenURL

### Abstract

) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zero-knowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by the protocol. We show that after a pre-processing stage consisting of O(k) executions of Oblivious Transfer, any polynomial number of NP-theorems of any poly-size can be proved non-interactively and in zero-knowledge, based on the existence of any one-way function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. [GMR] puts forward the somewhat paradoxical notion of a zero-knowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfe...

### Citations

717 | A Pseudorandom Generator from any One-way Function. SICOMP
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...now show how to make do with small random strings, assuming the existence of cryptographically secure bit generators (CSBG) [BM,Y]. This assumption is equivalent to the existence of one-way functions =-=[ILL]-=-. Instead of making our one-time pads truly random, we use the output of a CSBG, G. Given an n-bit input,ss, G(s) produces an infinite sequence, g s 1 ; g s 2 ; : : : ; that is indistinguishable from ... |

598 | How to generate cryptographically strong sequences of pseudo-random bits. Sicomp - Blum, Micali - 1984 |

509 | Theory and applications of trapdoor functions - Yao - 1982 |

470 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...ivalance between the bitwise and the stringwise versions of various forms of oblivious transfer are established in [BCR] and [C]. Here we use a more powerful notion of an OT, known as 1--2 OT, due to =-=[EGL]-=-. 1--2 OT is a protocol for two players, called, respectively S (for Sender) and R (for Receiver). S has two secret strings m 0 and m 1 . R secretly decides on a bit i, which indicates which strings (... |

299 |
How to Exchange Secrets by Oblivious Transfer
- Rabin
- 1981
(Show Context)
Citation Context ...raph Hamiltonicity. Later, [BCC] and [IY] developed efficient simple subset revealing protocols for the circuit satisfiability problem. OT, 1--2 OT, and 2--3 OT. The notion of an OT was introduced in =-=[R]-=-, where it was implemented, based on the difficulty of factoring integers, so to handle moderatly cheating parties. This protocol was strenghened by [FiMiRa] to handle totally cheating parties. In thi... |

116 |
How to Prove a Theorem so No One Else Can Claim It
- Blum
- 1986
(Show Context)
Citation Context ...y are committed individually. 2. The verifier makes a query, q. 3. Based on q and B, the prover computes a set I ` [1; n]. The prover reveals I along with b i , for all i 2 I. The protocols of [GMW], =-=[B]-=-, [BCC], [IY], and [S], among others fall into this class of protocols. The two key operations in a subset revealing protocol are committing a set of bits and revealing an arbitrary subset of these bi... |

102 | Non-interactive Oblivious Transfer and Applications - Bellare, Micali - 1989 |

56 | Non-interactive zero-knowledge proof systems - Santis, Micali, et al. |

41 |
Direct minimum-knowledge computations
- Yung, Impagliazzo
- 1988
(Show Context)
Citation Context ...ted individually. 2. The verifier makes a query, q. 3. Based on q and B, the prover computes a set I ` [1; n]. The prover reveals I along with b i , for all i 2 I. The protocols of [GMW], [B], [BCC], =-=[IY]-=-, and [S], among others fall into this class of protocols. The two key operations in a subset revealing protocol are committing a set of bits and revealing an arbitrary subset of these bits. We now sh... |

25 |
Proofs that Yield Nothing but their Validity
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfect zeroknowledge, given the existence of envelopes =-=[GMW]-=-. MIT, partially supported by NSF 865727-CCR and ARO DALL03-86-K-017. y MIT, supported in part by NSF grant DCR-84-13577. z Boston University, supported in part by NSF grant DCR86 -07492. An envelope ... |

24 |
The knowledge complexity ofinteractive proofs
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...ly and in zero-knowledge, based on the existence of any one-way function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. =-=[GMR]-=- puts forward the somewhat paradoxical notion of a zero-knowledge proof, and exempli es it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes,... |

14 | A.: The Discrete Log is Very Discreet - Schrift, Shamir - 1990 |

8 | Three Applications of the Oblivious Transfer - Blum - 1981 |

5 | A Completeness Theorem for Protocols with Honest Majority," STOC 87 - Goldreich, Micali, et al. |

4 |
Information Theoritic Reductions Among Disclosure Problems
- Brassard, Cr'epeau, et al.
- 1986
(Show Context)
Citation Context ...aper, we consider oblivious transfers on strings, rather than on single bits. The equivalance between the bitwise and the stringwise versions of various forms of oblivious transfer are established in =-=[BCR]-=- and [C]. Here we use a more powerful notion of an OT, known as 1--2 OT, due to [EGL]. 1--2 OT is a protocol for two players, called, respectively S (for Sender) and R (for Receiver). S has two secret... |

4 |
On The Power of Oblivious Transfer
- Kilian
- 1988
(Show Context)
Citation Context ...olely on the probability of error. After only O(k) transfers, the verifier will catch the prover with probability 1 \Gamma 1=2 k if he attempts to prove a false statement. This improves the result of =-=[K]-=-, in which the number of oblivious transfers grows polynomially with the size of the theorem as well as with the probability of error. 3.3 Using pseudorandom generators to shorten the preprocessing ph... |

3 |
Non-interactive zero-knowledge proofs and their applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ... assumption of oblivious transfer (which is implemented using trapdoor permutations [GMW1]). The results of Section 3 should also be contrasted with the common random string model, first put forth in =-=[BFM]-=- (see also [DMP2]). In the common random string model, the prover and the verifier are assumed to both have access to the same sequence of fair coin tosses (a common random string). Using this common ... |

3 |
Bounded-Interaction ZeroKnowledge proofs," CRYPTO-88
- Santis, Micali, et al.
(Show Context)
Citation Context ...teractive zero-knowledge proofs. After all, he is the one who initiates the proving monologue! 4 Comparisons with Previous Work. A model analogous to the one given in Section 3 was first presented in =-=[DMP1]-=-. [DMP1] show that after an interactive step of size n (i.e. one in which n bits are exchanged), a single theorem of size 3 p n can be proved. Thus, the length of the interaction in the preprocessing ... |

3 |
Minimum disclosure proofs of knowledge," JCSS
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...y are committed individually. 2. The veri er makes a query, q. 3. Based on q and B, the prover computes a set I [1�n]. The prover reveals I along with b i, for all i 2 I. The protocols of [GMW], [B], =-=[BCC]-=-, [IY], and [S], among others fall into this class of protocols. The two key operations in a subset revealing protocol are committing a set of bits and revealing an arbitrary subset of these bits. We ... |

2 |
Minimum Disclosure Proofs of Knowledge, " manuscript
- Brassard, Cr'epeau, et al.
- 1987
(Show Context)
Citation Context ... committed individually. 2. The verifier makes a query, q. 3. Based on q and B, the prover computes a set I ` [1; n]. The prover reveals I along with b i , for all i 2 I. The protocols of [GMW], [B], =-=[BCC]-=-, [IY], and [S], among others fall into this class of protocols. The two key operations in a subset revealing protocol are committing a set of bits and revealing an arbitrary subset of these bits. We ... |

1 |
The Knowledge Complexity of Interactive Proofs", STOC 85
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...ly and in zero-knowledge, based on the existence of any one-way function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. =-=[GMR]-=- puts forward the somewhat paradoxical notion of a zero-knowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes... |

1 |
A Zero-Knowledge Proof for Knapsacks", presented at a workshop on Probabilistic Algorithms
- Shamir
- 1986
(Show Context)
Citation Context ... number of small envelopes, all other things being equal. 1.2 How many envelopes do we need? The early zero-knowledge protocols for NP all used an unbounded number of envelopes. More recently, Shamir =-=[S]-=- has found a constant envelope protocol for a natural variant of KNAPSACK. His protocol was of the following very simple form: 1. The prover puts down 3 multi-bit envelopes. 2. The verifier uniformly ... |