## Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies (1994)

Venue: | JOURNAL OF CRYPTOLOGY |

Citations: | 32 - 0 self |

### BibTeX

@ARTICLE{Boyar94practicalzero-knowledge,

author = {Joan Boyar and Katalin Friedl and Carsten Lund},

title = {Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies},

journal = {JOURNAL OF CRYPTOLOGY},

year = {1994},

volume = {4},

pages = {155--172}

}

### Years of Citing Articles

### OpenURL

### Abstract

New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be super-polynomial in power. A probabilistic polynomial time prover with the appropriate trap-door knowledge is sufficient. The proofs are perfect or statistical zero-knowledge in all cases except one.

### Citations

1241 | Probabilistic encryption - Goldwasser, Micali - 1984 |

1086 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...roofs may involve a transformation to a circuit or to an NP-complete problem, so they are often quite inefficient. The first zero-knowledge proofs, those for quadratic residuosity and non-residuosity =-=[22]-=-, were practical; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], [1... |

326 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...ctical; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], [11], [12], =-=[15]-=-, [23], [30]. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modulo a prime is a ge... |

318 |
ld, Approximate formulas for some functions of prime numbers
- Rosser, Schoenfe
- 1962
(Show Context)
Citation Context ... Z x 2 1 log 2 t dt ? x log x + O(1): Hence the probability that a random m, chosen so that m j 1 (mod n) and msx, is prime is x '(n) log x + O(1) '(n) +O(x 1 2 log x) b(x \Gamma 1)=nc : We have from =-=[28]-=- that '(n)sC(n= log log n); hence if x = n 3 the above is greater than C 0 log log n log n + O(n \Gamma 1 2 log n): Note that x = n 2+ffl is sufficient if ffl ? 0. To find p, one can use Bach's method... |

307 |
Digitalized signatures and public-key functions as intractable as factorization
- Rabin
- 1979
(Show Context)
Citation Context ... square in the ring Z q l . But we show how the prover can find the one equal to r modulo q l . The prover finds in polynomial time the two square roots r 1 and r 2 of x modulo q l by using [2], [6], =-=[26]-=- or [27] to find the square roots modulo q and then lifting these solutions up to solutions modulo q l . Without loss of generality, suppose r 1 j r (mod q l ) and r 2 j \Gammar (mod q l ). Then there... |

164 |
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...s. Little attention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero-knowledge proofs =-=[19]-=-, [8], [10]. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or ... |

161 |
Factoring polynomials over large finite fields
- Berlekamp
- 1970
(Show Context)
Citation Context ...f any square in the ring Z q l . But we show how the prover can find the one equal to r modulo q l . The prover finds in polynomial time the two square roots r 1 and r 2 of x modulo q l by using [2], =-=[6]-=-, [26] or [27] to find the square roots modulo q and then lifting these solutions up to solutions modulo q l . Without loss of generality, suppose r 1 j r (mod q l ) and r 2 j \Gammar (mod q l ). Then... |

135 |
Multiplicative Number Theory
- Davenport
- 1980
(Show Context)
Citation Context ...tors s of a. Completeness: Assuming the Extended Riemann Hypothesis, one can try random a's which are less than n 2 and expect to find p in O(log n) attempts. To see this, consider the following from =-=[13]-=-(pp.129, 136). Assuming the Extended Riemann Hypothesis, jfp j p prime; psx; p j 1 (mod n)gj = lix '(n) + O(x 1 2 log x); where lix = Z x 2 1 log t dt = x log x \Gamma 2 log 2 + Z x 2 1 log 2 t dt ? x... |

123 |
Does co-NP have short interactive proofs
- Boppana, Hastad, et al.
- 1987
(Show Context)
Citation Context ...guage has a zero-knowledge proof system [19]. On the other hand it is unlikely that there are perfect zero-knowledge proof systems for all problems with zero-knowledge proofs. The results of [17] and =-=[7]-=- show that NP-complete languages do not have perfect zero-knowledge proof systems unless the polynomial hierarchy collapses to the second level, which would be a major surprising result in complexity ... |

112 |
The complexity of promise problems with applications to public-key cryptography
- Even, Selman, et al.
- 1984
(Show Context)
Citation Context ...tic, so we are concentrating on proofs for number theoretic problems. Some of our proofs only work on a well-defined subset of the possible inputs, so these problems can be viewed as promise problems =-=[14]-=- [18]. From [14] we get the notation that a promise problem (Q; R) is deciding if the input x belongs to R given that we know that x belongs to Q. The definitions of zero-knowledge proofs do not requi... |

110 |
Zero knowledge proofs of knowledge in two rounds
- Feige, Shamir
(Show Context)
Citation Context ...then the verifier setssr i = r i ; otherwise he setssr i = r i + r. Then he revealssr i . 3.5 The prover checks that h i = gsr i =h fi i . This protocol is in fact a witness hiding proof of knowledge =-=[15, 16]-=- of the discrete logarithm of h. Look at the communication (h; x; h 1 ; : : : ; h k ; fi 1 ; : : : ; fi k ;sr 1 ; : : : ;sr k ) at the point just before the prover reveals r. Recall that r 0 = r + s( ... |

96 | All-or-Nothing Disclosure of Secrets
- Brassard, Crepéau, et al.
- 1987
(Show Context)
Citation Context ...ty [22], were practical; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in =-=[9]-=-, [11], [12], [15], [23], [30]. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modu... |

89 | The complexity of perfect zero-knowledge
- Fortnow
- 1989
(Show Context)
Citation Context ...ry NP-language has a zero-knowledge proof system [19]. On the other hand it is unlikely that there are perfect zero-knowledge proof systems for all problems with zero-knowledge proofs. The results of =-=[17]-=- and [7] show that NP-complete languages do not have perfect zero-knowledge proof systems unless the polynomial hierarchy collapses to the second level, which would be a major surprising result in com... |

85 | Probabilistie Algorithms in Finite Fields
- Rabin
- 1980
(Show Context)
Citation Context ...in the ring Z q l . But we show how the prover can find the one equal to r modulo q l . The prover finds in polynomial time the two square roots r 1 and r 2 of x modulo q l by using [2], [6], [26] or =-=[27]-=- to find the square roots modulo q and then lifting these solutions up to solutions modulo q l . Without loss of generality, suppose r 1 j r (mod q l ) and r 2 j \Gammar (mod q l ). Then there exist k... |

75 |
Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information
- Tompa, Woll
- 1992
(Show Context)
Citation Context ... were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], [11], [12], [15], [23], =-=[30]-=-. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modulo a prime is a generator, onl... |

57 |
Recognizing primes in random polynomial time
- Adleman, Huang
- 1988
(Show Context)
Citation Context ...plications, this is a reasonable assumption because it is possible in expected polynomial time to create a random prime p with a given length, along with the complete factorization of p \Gamma 1 [3], =-=[1]-=-. Now, we will modify the above zero-knowledge proof to include the following steps, which should be repeated k = dlog 2 pe times: Protocol 2 0. The verifier rejects if g (p\Gamma1)=2 = 1. 1. The veri... |

57 | Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond
- Brassard, Crepeau
- 1986
(Show Context)
Citation Context ...tle attention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero-knowledge proofs [19], =-=[8]-=-, [10]. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or to an... |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ...2], were practical; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], =-=[11]-=-, [12], [15], [23], [30]. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modulo a p... |

39 | Perfect zero-knowledge in constant rounds
- Bellare, Micali, et al.
- 1990
(Show Context)
Citation Context ... random fl and r, and tries again. Thus the simulation is expected polynomial time, and this protocol is perfect zero-knowledge: 2 Furthermore, the protocol can be parallelized following the lines of =-=[4]-=-, as protocol 5 below is parallelized in protocol 6, giving a bounded round, perfect zero-knowledge proof system. The above discussion gives Theorem 2 There is a prover-practical perfect zero-knowledg... |

36 |
On taking roots in finite fields
- Adleman, Manders, et al.
- 1977
(Show Context)
Citation Context ...ots of any square in the ring Z q l . But we show how the prover can find the one equal to r modulo q l . The prover finds in polynomial time the two square roots r 1 and r 2 of x modulo q l by using =-=[2]-=-, [6], [26] or [27] to find the square roots modulo q and then lifting these solutions up to solutions modulo q l . Without loss of generality, suppose r 1 j r (mod q l ) and r 2 j \Gammar (mod q l ).... |

33 |
How to generate factored random numbers
- Bach
- 1988
(Show Context)
Citation Context ...st applications, this is a reasonable assumption because it is possible in expected polynomial time to create a random prime p with a given length, along with the complete factorization of p \Gamma 1 =-=[3]-=-, [1]. Now, we will modify the above zero-knowledge proof to include the following steps, which should be repeated k = dlog 2 pe times: Protocol 2 0. The verifier rejects if g (p\Gamma1)=2 = 1. 1. The... |

33 |
Demonstrating Possession of a Discrete Logarithm without Revealing It
- Chaum, Evertse, et al.
- 1987
(Show Context)
Citation Context ...re practical; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], [11], =-=[12]-=-, [15], [23], [30]. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modulo a prime i... |

32 |
On the Cunning Power of Cheating Verifiers: Some Observations about Zero Knowledge Proofs (Extended Abstract
- Oren
- 1987
(Show Context)
Citation Context ...pt of a conversation between machines V and P consists of the input string, the random bits of V , and the messages sent by the two parties. In the following definitions, we are using Oren's notation =-=[25]-=-. The verifier may have some auxiliary input y on his private auxiliary input tape. In his definitions of zeroknowledge, Oren takes into account the effect that this auxiliary input has on the communi... |

29 |
A Simple and Secure Way to Show the Validity of Your Public Key
- Graaf, Peralta
- 1988
(Show Context)
Citation Context ...; they were efficient and the prover could be probabilistic polynomial time if she 1 had the appropriate trap-door knowledge. Other efficient zero-knowledge proofs are given in [9], [11], [12], [15], =-=[23]-=-, [30]. In this paper we present a practical zero-knowledge proof for a special case of primitivity. This protocol, which shows that an element of the multiplicative group modulo a prime is a generato... |

26 |
Demonstrating that a public predicate can be satisfied without revealing any information about how
- Chaum
- 1987
(Show Context)
Citation Context ...ttention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero-knowledge proofs [19], [8], =-=[10]-=-. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or to an NP-co... |

24 |
The Art of Computer Programming, Vol 2
- Knuth
- 1980
(Show Context)
Citation Context ...lator will repeat the above procedure until it succeeds in getting another random multiple a 0 t or until it has run the procedure 2 k times, in which case it will find t by brute force. We know from =-=[24] tha-=-t Pr[gcd(at; a 0 t) = t] = 6=�� 2 . Hence, it can be shown, by techniques similar to those in Appendix A, that this simulator runs in expected polynomial time: 2 If the modulus has more than one p... |

14 |
Cryptographic Capsules: A Disjunctive Primitive for Interactive Protocols
- Benaloh
- 1987
(Show Context)
Citation Context ...l x '(n)=gcd(n;'(n)) 6= 1 (mod n). Then, the verifier chooses a random r 2 Z n and a random bit fi. The verifier then sends y j r n x fi (modn) to the prover. Next, using the technique due to Benaloh =-=[5]-=- of using cryptographic capsules, the verifier gives a zero-knowledge proof that he knows n and fi. Finally, the prover reveals the bit fi. The reason this is not perfect zero-knowledge is that the pr... |

12 |
Greatest of the least primes in arithmetic progressions having a given modulus
- Wagstaff
- 1979
(Show Context)
Citation Context ...hod [3] to produce an appropriate a randomly, along with the complete factorization of a. Another way to find an appropriate p is by trying n + 1; 2n + 1; 3n+ 1; : : : until we find a prime. Wagstaff =-=[31]-=- has given an heuristic argument which says that we would usually only have to try up to O(log 2 n) numbers. Observe that we can factor a since it is so small. Because of step 3, we can assume that q6... |

6 |
A Perfect Zero-Knowledge Proof for a Problem Equivalent to Discrete Logarithm
- Goldreich, Kushilevitz
- 1993
(Show Context)
Citation Context ...so we are concentrating on proofs for number theoretic problems. Some of our proofs only work on a well-defined subset of the possible inputs, so these problems can be viewed as promise problems [14] =-=[18]-=-. From [14] we get the notation that a promise problem (Q; R) is deciding if the input x belongs to R given that we know that x belongs to Q. The definitions of zero-knowledge proofs do not require th... |