## Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs (1995)

Citations: | 10 - 1 self |

### BibTeX

@MISC{Damgård95honestverifier,

author = {Ivan Damgård and Oded Goldreich and Tatsuaki Okamoto and Avi Wigderson},

title = {Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs},

year = {1995}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper presents two transformations of public-coin/Arthur-Merlin proof systemswhich are zero-knowledge with respect to the honest verifier into (public-coin/ArthurMerlin) proof systems which are zero-knowledge with respect to any verifier. The first transformation applies only to constant-round proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung -- see Crypto92) which was used by Damgard. Consequently, the protocols resulting from our transformation have much lower round-complexity than those derived by Damgard's transformation. As in Damgard's transformation, our transformation preserves statistical /perfect zero-knowledge and does not rely on any computational assumptions. However, unlike Damgard's transformation, the new transformation is not applicable to argument systems or to proofs of knowledge. The second transformation can be applied to p...

### Citations

1080 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...iences and Humanities. 0sPart I Hashing Functions can Simplify Zero-Knowledge Protocol Design (too)s1 Introduction to Part I Zero-knowledge proof systems, introduced by Goldwasser, Micali and Rackoff =-=[16]-=-, are a key tool in the design of cryptographic protocols. The results of Goldreich, Micali and Wigderson [14] guarantee that such proof systems can be constructed for any NP-statement, provided that ... |

750 | A pseudorandom generator from any one-way function
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...owledge, except for the following minor modification. We require the simulator (in the definition of zero-knowledge) to to run in Secure commitment schemes exist provided that one-way functions exist =-=[18, 20]-=- and the latter exist if some languages which is hard on the average have proof systems which are zero-knowledge with respect to the honest verifier [24]. 2sstrictly polynomial-time (rather than in ex... |

304 | Trading group theory for randomness
- Babai
- 1985
(Show Context)
Citation Context ...Knowledge Transformation Our transformation is restricted to interactive proofs in which the verifier sends the outcome of every coin it tosses. Such interactive proofs are called Arthur-Merlin games =-=[1]-=- or public-coins interactive proofs (cf., [17]). Note that in such interactive proofs the verifier moves, save the last, may consist merely of tossing coins and sending their outcome. (In its last mov... |

164 |
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...tion to Part I Zero-knowledge proof systems, introduced by Goldwasser, Micali and Rackoff [16], are a key tool in the design of cryptographic protocols. The results of Goldreich, Micali and Wigderson =-=[14]-=- guarantee that such proof systems can be constructed for any NP-statement, provided that one-way functions exist. However, the general construction presented in [14] and subsequent works may yield qu... |

163 | How to Construct Constant-Round Zero-Knowledge Proof Systems for NP
- Goldreich, Kahan
- 1996
(Show Context)
Citation Context ...h respect to the honest verifier. Yet, constant-round interactive proofs for NP which are zero-knowledge in general are known only under seemingly stronger assumptions and are also more complex (cf., =-=[11]-=-). In view of the relative simplicity of designing protocols which are zero-knowledge with respect to the honest verifier, a transformation of such protocols into protocols which are zero-knowledge in... |

143 | Foundations of Cryptography (Fragments of a Book). Available at http://www.wisdom.weizmann.ac.il/home/oded/public_html/frag.html Exposure-Resilient Functions and All-or-Nothing Transforms 469
- Goldreich
(Show Context)
Citation Context ...time), but we allow it to produce output only with some non-negligible probability (rather than always). Clearly, this definition implies the standard one, but the converse is not known to hold – see =-=[9]-=-. This definition is more convenient for establishing zero-knowledge claims and in particular for our purposes, but our results do not depend on it (and can be derived under the standard definitions).... |

117 | Definitions and Properties of Zero-Knowledge Proof Systems
- Goldreich, Oren
- 1994
(Show Context)
Citation Context ...mation of [6]. Supposeswe start with a -round proof system which uses random coins and has � � ¢�� error . � � ¡ § © ¢ � � �£¢ � Clearly,s� ¢��¥¤ §�¥�� ¡ ¢ and (otherwises� ¢�� the language is in BPP =-=[15]-=-). Now, the proof system resulting from Damg˚ard’s transformation will ¢�� have rounds and maintain the error bound of the original proof system. On the other hand,s��s� the protocol resulting from �¦... |

43 | The (true) complexity of statistical zero knowledge
- Bellare, Micali, et al.
- 1990
(Show Context)
Citation Context ...rotocols which are zero-knowledge in general (i.e., w.r.t. any verifier) may be very valuable. Assuming various intractability assumptions, such transformations have been presented by Bellare et. al. =-=[2]-=-, and Ostrovsky et. al. [23]. A transformation which does not rely on any intractability assumptions has been presented by Damg˚ard in Crypto93. His transformation (of honest-verifier zero-knowledge i... |

42 | Perfect zeroknowledge arguments for NP can be based on general complexity assumptions - Naor, Ostrovsky, et al. - 1998 |

40 | Fair Games Against an All-Powerful Adversary
- Ostrovsky, Venkatesan, et al.
- 1993
(Show Context)
Citation Context ...cify the origin of each copy. 1ssent by the verifier (in each round) are replaced by a multi-round interactive hashing protocol, which in turn originates in the work of Ostrovsky, Venkatesan and Yung =-=[22]-=-. Instead, in our transformation, the random messages sent by the verifier are replaced bys¡ a -round protocol, called Random Selection. The Random Selection protocol uses a family of ordinary hashing... |

39 | One-Way Functions Are Essential for Non-Trivial Zero-Knowledge
- Ostrovsky, Wigderson
- 1993
(Show Context)
Citation Context ...way of converting protocols which are zero-knowledge with respect to the honest verifier into ones which are zero-knowledge in general, is available through a recent result of Ostrovsky and Wigderson =-=[24]-=-. They have proved that the existence of honest verifier zero-knowledge proof system for a language which is “hard on the average” implies the existence of one-way functions. Combined with the results... |

25 |
Interactive hashing can simplify zero-knowledge protocol design without computational assumptions (extended abstract
- Damg̊ard
- 1993
(Show Context)
Citation Context ...wever, unlike Damg˚ard’s transformation, the new transformation is not applicable to argument systems (i.e., the BCC model [4]) or to proofs of knowledge. Our transformation builds on Damg˚ard’s work =-=[6]-=-. In his transformation, the random messages ¢ by Ivan Damg˚ard, Oded Goldreich and Avi ¡ Wigderson. To be convinced £¥¤ that £ ¢ and are not isomorphic, the verifier randomly ¦ selects random isomorp... |

18 | Interactive hashing simplifies zero-knowledge protocol design
- Ostrovsky, Venkatesan, et al.
- 1993
(Show Context)
Citation Context ...wledge in general (i.e., w.r.t. any verifier) may be very valuable. Assuming various intractability assumptions, such transformations have been presented by Bellare et. al. [2], and Ostrovsky et. al. =-=[23]-=-. A transformation which does not rely on any intractability assumptions has been presented by Damg˚ard in Crypto93. His transformation (of honest-verifier zero-knowledge into general zero-knowledge) ... |

11 | Zero Knowledge Proofs of Knowledge - Feige, Shamir - 1989 |

10 |
Private Coins versus Public Coins
- Goldwasser, Sipser
- 1989
(Show Context)
Citation Context ...s restricted to interactive proofs in which the verifier sends the outcome of every coin it tosses. Such interactive proofs are called Arthur-Merlin games [1] or public-coins interactive proofs (cf., =-=[17]-=-). Note that in such interactive proofs the verifier moves, save the last, may consist merely of tossing coins and sending their outcome. (In its last move the verifier decides, based on the entire hi... |

7 | Hashing functions can simplify zero-knowledge protocol design (too
- Damg̊ard, Goldreich, et al.
- 1994
(Show Context)
Citation Context ... do not depend on it (and can be derived under the standard definitions). Due to space limitations the proofs of all propositions have been omitted. The complete proofs appear in our technical report =-=[7]-=-. 2 Random Selection We consider a randomized two-party protocol for selecting strings. The two parties to the protocol are called the challenger and the responder. These names are supposed to reflect... |

3 |
Bit Commitment from Pseudo-Randomness
- Naor
(Show Context)
Citation Context ...owledge, except for the following minor modification. We require the simulator (in the definition of zero-knowledge) to to run in Secure commitment schemes exist provided that one-way functions exist =-=[18, 20]-=- and the latter exist if some languages which is hard on the average have proof systems which are zero-knowledge with respect to the honest verifier [24]. 2sstrictly polynomial-time (rather than in ex... |

2 |
Fault-Tolerant Computation without Assumptions: the Two-Party Case
- Goldreich, Goldwasser, et al.
- 1991
(Show Context)
Citation Context ...ifier zero-knowledge proofs (for such languages) do not get transformed into perfect zero-knowledge proofs. A two-party protocol for random selection, with unrelated properties, has been presented in =-=[10]-=-. This protocol guarantees that, as long as one party plays honestly, the outcome of the protocol hits any set �����¨�������¨� with probability at most � � ��� � � � ��� � � , where � � � £�������� � ... |

1 | Everything in NP can be Argued - Brassard, Crépeau, et al. - 1989 |

1 |
On the Composition
- Goldreich, Krawcyzk
- 1990
(Show Context)
Citation Context ..., it also increases the error probability of the proof system by a non-negligible amount which can be made arbitrarily small. This increase is inevitible in view of a result of Goldreich and Krawcyzk =-=[12]-=-, see discussion in subsection 3.4. Thus, to get proof systems with negligible error probability, one may repeat the protocols resulting from our transformation a non-constant number of times. Still, ... |