O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In A. M. Odlyzko, editor, Proc. of CRYPTO 1986.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... witness hiding, and minimum disclosure) Proofs of knowledge have been introduced and de ned formally in [13] but we will also call systems proofs of knowledge if they do not meet the strong requirements of [13] It has been shown that proofs of knowledge exist for a large class of problems [14, 3]. However, ecient proofs have been found only for some number theoretic problems such as RSA inversion and computing discrete logarithms [15, 7, 6, 18] Particularly, proofs of knowledge of discrete logarithms and of representations are important ingredients of many cryptographic systems, from ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zeroknowledge and a methodology of cryptographic protocol design. In A. M. Odlyzko, editor, Advances in Cryptology | CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 171-185. Springer-Verlag, 1987.

....VSR protocol expands on the concept embodied in VSS schemes, that of protecting shareholders from a faulty dealer. Chor et al. present a scheme in which the dealer and shareholders perform an interactive secure distributed computation [11] Benaloh [3] Gennaro and Micali [20, 21] Goldreich et al. [23], and Rabin and Ben Or [34, 36] propose schemes in which the dealer and shareholders participate in an interactive zero knowledge proof of validity; the schemes of Gennaro and Micali and of Rabin and BenOr are information theoretically secure. Feldman [14] and Pedersen [33] present schemes in ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In Proc. of CRYPTO 1986.

.... systems were rst envisioned by David Chaum [Cha85] and have been further studied by Chaum and Evertse [CE87] Brands [Bra99] and Lysyanskaya, Rivest, Sahai, and Wolf [LRSW99] 14 Using general techniques of zero knowledge proofs and zero knowledge proofs of knowledge [GMR85, GMR89, GMW86, GMW87b, BG92] it is possible to prove statements such as I have a signature, without saying anything more than that (i.e. without disclosing what this credential looks like or the identity ID to which it was issued) However, doing so requires that the problem at hand be represented as, for example, ....

....credential system depends on the eciency of its building blocks. It is clear that this system can be constructed from any one way function using the following well known facts: 1) OWF ) PRG [HILL99] 2) PRG ) secure commitment [Nao91] 3) OWF ) secure signatures [Rom90] and (4) NP 2 ZKPOK [GMW87b] where ZKPOK denotes the class of languages for which there exist zero knowledge proofs of knowledge of a witness. However, going about it in this way, it unsuitable for practical use. In Chapter 4, we give an ecient signature scheme, together with an ecient commitment scheme and ecient ....

[Article contains additional citation context not shown here]

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Andrew M. Odlyzko, editor, Advances in Cryptology pages 171-185. Springer-Verlag, 1987.

....out that this intuition was wrong Indeed, using accumulators in combination with zero knowledge proofs allows one to prove that a committed value is in the accumulator. We show that this can be done e#ciently (i.e. not by reducing to an NP complete problem and then using the fact that NP ZK [20] and not by using cut and choose for the Baric and Pfitzmann s [3] construction) From the above, we obtain an e#cient mechanism for revoking group membership for the Ateniese et al. identity escrow group signature scheme [1] the most e#cient secure identity escrow group signature scheme known ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology --- CRYPTO '86, vol. 263 of LNCS, pp. 171--185, 1987.

....that this intuition was wrong Indeed, using accumulators in combination with zero knowledge proofs allows one to prove that a committed value is in the accumulator. We show that this can be done efficiently (i.e. not by reducing to an complete problem and then using the fact that [GMW87] and not by using cut and choose for the Baric and Pfitzmann s [BP97] construction) From the above, we obtain an efficient mechanism for revoking group membership for the Ateniese et al. identity escrow group signature scheme [ACJT00] the most efficient secure identity escrow group signature ....

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zeroknowledge and a methodology of cryptographic protocol design. In Andrew M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of LNCS, pages 171--185. Springer-Verlag, 1987.

....out that this intuition was wrong Indeed, using accumulators in combination with zero knowledge proofs allows one to prove that a committed value is in the accumulator. We show that this can be done eciently (i.e. not by reducing to an NP complete problem and then using the fact that NP ZK [20] and not by using cut and choose for the Bari c and P tzmann s [3] construction) From the above, we obtain an ecient mechanism for revoking group membership for the Ateniese et al. identity escrow group signature scheme [1] the most ecient secure identity escrow group signature scheme known to ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology | CRYPTO '86, vol. 263 of LNCS, pp. 171-185, 1987.

....VSS scheme [Fel87] is one of several to catch a dealer that attempts to distribute invalid shares. Chor et al. present a scheme in which the dealer and shareholders perform an interactive secure distributed computation [CGMA85] Benaloh [Ben87] Gennaro and Micali [GJKR96, GM95] Goldreich et al. [GMW87] and Rabin and Ben Or [Rab94, RBO89] propose schemes in which the dealer and shareholders participate in an interactive zero knowledge proof of validity; the scheme of Gennaro and Micali, and that of Rabin and Ben Or, is information theoretically secure. Pederson [Ped91] presents a scheme, like ....

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In Andrew M. Odlyzko, editor, Proc. of CRYPTO 1986, the 6th Ann. Intl. Cryptology Conf., volume 263 of Lecture Notes in Computer Science, pages 171--185. Intl. Assoc. for Cryptologic Research, Springer-Verlag, 1987.

.... standards such as X9.31 require the modulus to be the product of two primes p and q, where (p 1) 2, p 1) 2, q 1) 2, and (q 1) 2 have a large prime factor Previously, the only way known for proving such properties was applying inefficient general zero knowledge proof techniques (e.g. [21, 6, 14]) Our main results are as follows: First, we provide an efficient protocol to prove that a committed integer is in fact the modular addition of two committed integer modulo another committed integer without revealing any other information whatsoever. Then we provide similar protocols for modular ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In A. M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 171--185. Springer-Verlag, 1987.

....schemes [7] Feldman s VSS scheme [9] is one of several to catch a dealer that attempts to distribute invalid shares. Chor et al. present a scheme in which the dealer and shareholders perform an interactive secure distributed computation [6] Benaloh [1] Gennaro and Micali [13] Goldreich et al. [14], and Rabin and Ben Or [21, 19] subsequently propose schemes in which the dealer and shareholders participate in an interactive zero knowledge proof of validity; the schemes of Gennaro and Micali, and Rabin and Ben Or, are information theoretically secure. Pederson [18] presents a scheme, like ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In A. M. Odlyzko, editor, Proc. of CRYPTO

....out that this intuition was wrong Indeed, using accumulators in combination with zero knowledge proofs allows to prove that a committed value is in the accumulator. We show that this can be done e#ciently (i.e. not by reducing to an NP complete problem and then using the fact that NP # ZK [GMW87] and not by using cut and choosefor the Baric and Pfitzmann s [BP97] construction. From the above, we obtain an e#cient mechanism for revoking group membership for the Ateniese et al. group signature scheme [ACJT00] and a credential revocation mechanism for Camenisch and Lysyanskaya s [CL01] ....

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Andrew M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of LNCS, pages 171--185. Springer-Verlag, 1987.

....fairness property of the fair exchange application is actually absent. From the problem s membership in NP we know that there exists a zeroknowledge proof for a membership assertion regarding language L(a# n) Sucha proof can be constructed via a general method (e.g. the work of Goldreichetal [9]) However, the performance of a zero knowledge proof in a general construction is not suitable for practical use. By the performance for practical use we mean an efficiency measured byasmall polynomial in some typical parameters (e.g. the bit length of n) To our knowledge, there exists no ....

Goldreich, O., Micali, S. and Wigderson, A. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design, Advances in Cryptology --- Proceedings of CRYPTO 86 (A.M. Odlyzko ed.), Lecture Notes in Computer Science, Springer-Verlag 263 (1987), pages 171--185.

.... fairness property of the fair exchange application is absent) From the problem s membership in NP we know that there exists a zero knowledge proof for a membership assertion regarding language L(a; t; n) Such a proof can be constructed via a general method (e.g. the work of Goldrich et al. [8]) However, the performance of a zero knowledge proof in a general construction is not suitable for practical use. By the performance for practical use we mean an efficiency measured by a small polynomial in some typical parameters (e.g. the bit length of n) To our knowledge, there exists no ....

Goldreich, O., Micali, S. and Wigderson, A. How to prove all NP statements in zeroknowledge and a methodology of cryptographic protocol design, Advances in Cryptology --- Proceedings of CRYPTO 86 (A.M. Odlyzko ed.), Lecture Notes in Computer Science, Springer-Verlag 263 (1987), pages 171--185.

....be the product of two primes p and q, where (p Gamma 1) 2, p 1) 2, q Gamma 1) 2, and (q 1) 2 have a large prime factor that is between 100 and 120 bit [39] 1 . Previously, the only way known to prove such properties was applying inefficient general zero knowledge proof techniques (e.g. [23, 5, 16]) In this paper we describe an efficient protocol for proving that a committed integer is in fact the modular addition of two committed integer modulo another committed integer without revealing any other information whatsoever. Then, we provide similar protocols for modular multiplication, ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology --- CRYPTO '86, volume 263 of LNCS, pp. 171--185. Springer-Verlag, 1987.

.... witness hiding, and minimum disclosure) Proofs of knowledge have been introduced and defined formally in [13] but we will also call systems proofs of knowledge if they do not meet the strong requirements of [13] It has been shown that proofs of knowledge exist for a large class of problems [14, 3]. However, efficient proofs have been found only for some number theoretic problems such as RSA inversion and computing discrete logarithms [15, 7, 6, 18] Particularly, proofs of knowledge of discrete logarithms and of representations are important ingredients of many cryptographic systems, from ....

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zeroknowledge and a methodology of cryptographic protocol design. In A. M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 171--185. Springer-Verlag, 1987.

No context found.

O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In A. M. Odlyzko, editor, Proc. of CRYPTO 1986.

No context found.

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptograhpic protocol design. In Andrew M. Odlyzko, editor, Proc. of CRYPTO 1986, the 6th Ann. Intl. Cryptology Conf., volume 263 of Lecture Notes in Computer Science, pages 171--185. Intl. Assoc. for Cryptologic Research, Springer-Verlag, 1987.

No context found.

Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Andrew M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of LNCS, pages 171--185. Springer-Verlag, 1987.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC