Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Crypto 86.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the non triviality of the interaction is a necessary condition for the non triviality of the notion of zero knowledge. 1.3 Previous result concerning interactive proofs In section 1.1, we implicitly discussed the classes of languages having. k move interactive proof systems (i.e. k message exchanges) Let P(k) denote the class of languages membership in which can be proved through a general interaction consisting f k messages, and let RIP(k) denote languages proven through the restricted type interaction in which the verifier tosses public coins . Babai [B] showed that for every ....

....in the following strong sense: for every verifier program V there is an algorithm Mlzo, such that the probability distribution generated by M. on input x L) is identical to the probability distribution generated by V (when interacting with the prover on the input z) Independently, Chaum [Cha] discovered a protocol which is very similar to the one in BC2] Chaum alo proposed an interesting application of such zero information proofs . His application is to a setting in which the verifier may have infinite computing power while the prover is restricted to polynomial time ....

[Article contains additional citation context not shown here]

Chaum, D., "Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How", these proceedings.

....them. Classical examples are authentication, identi cation [5, 20, 21] digital signatures [21] and group signatures [10, 18] From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has been rst introduced by Chaum et al. [13, 15, 22]. Numerous schemes [14] allow to combine several proofs to prove more elaborated statements about discrete logarithms; the very rst only covered the case of a single equations connected by AND statement. In 1994, De Santis et al. 25] and Cramer et al. 19] independently discovered a general ....

D. Chaum. Demonstrating that a public predicate can be satis ed without revealing any information about how. In A. M. Odlyzko, editor, Proc. of Crypto '86, volume 263 of LNCS, pages 195-199. Springer-Verlag, August 1986.

....a protocol is a zero knowledge protocol if one party learns nothing (zero) from the protocol above and beyond what he is supposed to learn. This theory was originated by Goldwasser, Micali, and Racko [80] and has been extended by many others, including Galil, Haber, and Yung [67] Chaum [34], Goldwasser and Sipser [83] and Brassard and Crepeau [31] Zero knowledge protocols are two party protocols; one party is called the prover and the other the veri er. The prover knows some fact and wishes to convince the veri er of this fact. The veri er wants a protocol that will allow the ....

D. Chaum. Demonstrating that a public predicate can be satised without revealing any information about how. In A. M. Odlyzko, editor, Proceedings CRYPTO 86, pages 195-199, Springer, 1987. Lecture Notes in Computer Science No. 263.

....the shopkeeper must contact the bank during every transaction. If Alice uses a coin only once, her privacy is protected unconditionally. But if Alice reuses a coin, the bank can trace it to her account and can prove that she has used it twice. Our work is motivated by that on minimum disclosure ([C86], BC86a] 2 [BC86b] and [BCC] and on zero knowledge ( GMR] GMW86a] and [GMW86b] Our scheme protects Alice s privacy unconditionally as is possible with the former, rather than computationally as in the latter. Using these very general results which seem to be infeasible in practice ....

Chaum, D., Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How, presented at Crypto '86, 1986.

....elections [12] These protocols take advantage of special algebraic properties of the encryption schemes used. Also, Zero Knowledge had just been defined [28] and people were coming up with protocols in which Alice can convince Bob that she knows a satisfying assignment for any Boolean circuit [7, 8, 10, 23]. Note that in these kind of protocols only one party provides an input to the circuit, which makes it easier to handle than the match making problem. Around 1987 the first solutions to the match making problem and its generalizations began to appear, resulting in a true avalanche of papers in ....

David Chaum (1987). Demonstrating that a public predicate can be satisfied without revealing any information about how. In A.M. Odlyzko, editor, Proc. CRYPTO 86, pages 195--199. Springer-Verlag. Lecture Notes in Computer Science No. 263.

....elections [12] These protocols take advantage of special algebraic properties of the encryption schemes used. Also, Zero Knowledge had just been defined [28] and people were coming up with protocols in which Alice can convince Bob that she knows a satisfying assignment for any Boolean circuit [7, 8, 10, 23]. Note that in this protocol only one party provides an input to the circuit, which makes it easier to handle than the match making problem. Around 1987 the first solutions to the match making problem and its generalizations began to appear , resulting in a true avalanche of papers in the ....

David Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In A.M. Odlyzko, editor, Proc. CRYPTO 86, pages 195--199. Springer-Verlag, 1987. Lecture Notes in Computer Science No. 263.

....information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zero knowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any one way permutation. We stress that our scheme is efficient: both players can execute only polynomial time programs during the protocol. Moreover, the security achieved is on line: in order to cheat and validate a ....

....gets help from an infinitely powerful computation; while the verifier (or anyone overhearing the protocol) if he ever breaks the assumption (say, after 100 years) can extract additional information about the proof (thus, the security is only ensured computationally) 2. Zero knowledge arguments [CH, BC, BCC]: The verifier can not extract additional information even if he is given infinite time ( i.e. security is perfect) however, the prover (assumed to be polynomial time) can cheat in his proof only if he manages to break the assumption on line during the execution of the protocol. This is the ....

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Crypto 86.

.... It as been used for coin tossing protocols (Alice and Bob who do not trust each other want to toss a coin over a telephone line) 8, 9, 2] zero knowledge proofs (Alice wants to prove the validity of a statement to Bob without revealing him anything else than the fact that the statement is true) [35, 36, 12, 11, 32, 16, 10, 38], and more or less every single cryptographic protocol involves bit commitments somewhere. It is a very fundamental primitive. In terms of quantum implementation, an early protocol to achieve this task was given implicitly in [2] Bennett and Brassard gave a coin tossing protocol using faint ....

D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In A. M. Odlyzko, editor, Proceedings CRYPTO 86, pages 195--199. Springer, 1987. Lecture Notes in Computer Science No. 263.

....and slightly earlier by [GrMiWi86] as they gave a ZKIP for 3 COL. Obviously (because Karp reductions carry NP certificates) it suffices to find a ZKIP for any NP complete problem in order to get one for all problems in NP. Protocols very similar to ours for satisfiability are also given in [Be86, Ch86]. Our protocol is more attractive in practice than that of [GrMiWi86] but we depend on a specific cryptographic assumption (quadratic residuosity) whereas they merely need to assume the existence of secure encryption schemes in the sense of [GwMi84] In a further paper, we shall show that our ....

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", presented at CRYPTO 86, 1986.

....be a satisfiable boolean circuit of size n made out of negation and binary gates. Assume that the Prover knows a satisfying assignment for C and that she wishes to convince the Verifier of this fact using a zero knowledge proof system [29] Previously known proof systems for this problem (such as [18, 15, 16, 14]) all require the Prover to commit to Omega Gamma n) bits, wait for a challenge from the Verifier, and then open some of the commitments (perhaps all of them) This is done in such a way that the Prover would be caught cheating with probability at least 50 if in fact C was not satisfiable, but ....

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Advances in Cryptology -- Proceedings of Crypto '86, pp. 195 -- 199, 1986.

....a protocol is a zero knowledge protocol if one party learns nothing (zero) from the protocol above and beyond what he is supposed to learn. This theory was originated by Goldwasser, Micali, and Rackoff [80] and has been extended by many others, including Galil, Haber, and Yung [67] Chaum [34], Goldwasser and Sipser [83] and Brassard and Crepeau [31] Zero knowledge protocols are two party protocols; one party is called the prover and the other the verifier. The prover knows some fact and wishes to convince the verifier of this fact. The verifier wants a protocol that will allow the ....

D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In A. M. Odlyzko, editor, Proceedings CRYPTO 86, pages 195--199, Springer, 1987. Lecture Notes in Computer Science No. 263.

....zero knowledge proofs and the classes of problems which have such zero knowledge proofs. Little attention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero knowledge proofs [19] 8] [10]. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or to an NP complete problem, so they are often quite inefficient. The first zero knowledge proofs, those for ....

Chaum, D., Demonstrating that a public predicate can be satisfied without revealing any information about how, Advances in Cryptology - Crypto '86 Proceedings, 1987, pp. 195-199.

....probability of lucky successful cheating. This is the sense in which it is said of GMR interactive proofs that A proof is a proof . In many practical situations, it is nevertheless reasonable to impose computational limitations on the prover. This setting was investigated independently by Chaum [C2] (who, on the other hand, allowed unlimited computing power to the verifier to a large extent, Chaum s model goes back to [C1] and by Brassard and Crepeau [BC] who restricted both the prover and the verifier to reasonable computing power) In either the Chaum or the Brassard Crepeau ....

.... For instance, even a polynomial time prover could succeed at proving a false statement with the protocol of [BC] provided that she has a very efficient factoring algorithm (whose non existence is still an open problem) To distinguish interactive proofs in the sense of GMR from the protocols of [C2, BC], we introduce a new terminology. An interactive protocol is an argument (rather than a proof) if the verifier s faith in the prover s claim must ultimately rest on an assumption. As we have seen, this assumption could be cryptographic in nature, such as the assumption that the prover cannot ....

[Article contains additional citation context not shown here]

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Advances in Cryptology - CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp.195-199.

....Feige, Fiat and Shamir [FFS] and Tompa and Woll [TW] have given formal definitions of what should constitute a proof of knowledge in the context of interactive proof systems. Brassard, Chaum and Cr epeau have investigated a different setting, in which the prover s computing power is limited [BC1,C,BCC]. The resulting protocols are convincing for the verifier provided that he believes that the prover cannot break a given cryptographic assumption while the protocol is in progress. Consequently, such protocols are merely computationally convincing , as opposed to Goldwasser Micali Rackoff s ....

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Advances in Cryptology: CRYPTO '86 Proceedings, Springer--Verlag, 1987, pp. 195 -- 199.

....computations, such as modular addition, subtraction, and multiplication, and greatest common divisor. 1 Introduction From a practical point of view, the bottleneck in the zero knowledge interactive proof systems and in the interactive arguments 1 which are produced by the techniques of [1, 5, 7, 14] is the amount of interaction necessary. In this paper we provide powerful Supported in part by NSA Grant Number MDA904 88 H 2006. y Supported in part by NSF Grant Number CCR 8909657. 1 Protocols, which are proofs in the model of Brassard Chaum Cr epeau [4] are not technically interactive ....

....the complexity of the interactive proof would be CC k (n) 2 O(k Delta n 8 ) Thus we see that the technique of reduction to graph 3 colorability, elegant as it is, cannot reasonably be used in practice for arbitrary languages in NP. An alternative technique for producing zero knowledge proofs ([1, 4, 5, 6, 7]) proceeds by reduction to a verifying boolean circuit rather than to an NP complete 2 In fact, this cost should probably be k rather than constant, but we make this simplifying assumption to avoid multiplying all communication costs mentioned in this paper by the same factor, k. language. ....

D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In Advances in Cryptology - proceedings of CRYPTO 86, Lecture Notes in Computer Science, pages 195--199. SpringerVerlag, 1987.

.... (not needed for this paper) can be found in [GMR] A result similar to those of [GMW, BC1] was obtained independently by Chaum, but under a very different model, which emphasizes the unconditional privacy of the prover s secret information, even if the verifier has unlimited computing power [Ch]. Independently, Brassard and Cr epeau considered a model (compatible with Chaum s) in which all parties involved are assumed to have reasonable computing power, and they also obtained a protocol unconditionally secure for the prover (meaning that the prover s safety did not depend on unproved ....

....willing to undergo an infeasible computation. Such attacks from the verifier can even be performed off line, i.e. any time after the protocol has been completed. In contrast, no information at all (even in the sense of Shannon s information theory [S] is given to the verifier in the protocols of [Ch, BC2], except with an exponentially small probability. This exponentially small probability of cheating for the verifier was subsequently removed by Brassard, Chaum and Cr epeau [BCC] thanks to an 1 It is convenient to give distinct and definite genders to the participants of our protocols. The ....

[Article contains additional citation context not shown here]

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Advances in Cryptology: CRYPTO '86 Proceedings, Springer--Verlag, 1987, pp. 195 -- 199.

....that provably offer Shannon security for Alice. Our technique extends naturally to the setting of transfer of confidence. This results in protocols that are dual to those of [GrMiWi86a, BrCr86] A different but similar idea leading to Shannon security has been independently proposed by David Chaum [Ch86]. More precisely, we offer the following: Shannon security for Alice: our protocol is perfect zero knowledge for problems in NP. After its completion, Alice knows for sure that nothing about her proof has transpired from the protocol. This does not depend on unproved cryptographic assumptions; ....

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Presented at CRYPTO 86 , 1986.

.... (not needed for this paper) can be found in [GMR] A result similar to those of [GMW, BC1] was obtained independently by Chaum, but under a very different model, which emphasizes the unconditional privacy of the prover s secret information, even if the verifier has unlimited computing power [Ch]. Independently, Brassard and Crepeau considered a model (compatible with Chaum s) in which all parties involved are assumed to have reasonable computing power, and they also obtained a protocol unconditionally secure for the prover (meaning that the prover s safety did not depend on unproved ....

.... Chaum s) in which all parties involved are assumed to have reasonable computing power, and they also obtained a protocol unconditionally secure for the prover (meaning that the prover s safety did not depend on unproved cryptographic assumptions) BC2] We shall refer to the settings of either [Ch] or [BC2] as the BCC setting in order to contrast it with the GMR setting described in the previous paragraph [BC3] The difference between these settings is important because all the information on the prover s secret is given to the verifier in the protocols of [GMW, BC1] albeit in enciphered ....

[Article contains additional citation context not shown here]

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Advances in Cryptology - CRYPTO '86 Proceedings, SpringerVerlag, 1987, pp.195-199.

No context found.

Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any information about how", Crypto 86.

No context found.

D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In A. M. Odlyzko, editor, Proc. of Crypto '86, volume 263 of LNCS, pages 195--199. Springer-Verlag, August 1986.

No context found.

D. Chaum, "Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How", Advances in Cryptology --- Crypto `86 Proceedings. A. M. Odlyzko (ed.), Lecture Notes in Computer Science, vol. 263, Springer-Verlag, Berlin, 1987, 195-199.

No context found.

D. Chaum, Demonstrating that a Public Predicate can be Satisfied Without Revealing any Information About How, in "Advances in Cryptology -- CRYPTO 86," vol. 263 of "Lecture Notes in Computer Science," Springer Verlag, pp. 195--199.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC