Tompa, M. and H. Woll, "Random Self Reducibility and Zero Knowledge Interactive Proofs of Possession of Information," Proceedings of the 28th IEEE Symposium on Foundations of Computer Science, October 1987. 21  Home/Search   Document Not in Database   Summary   Related Articles   Check

....we recall a de nition of a proof of knowledge protocol. Proofs of knowledge are, as Bellare and Goldreich [BG92] wrote, one of the many conceptual contributions of the work of Goldwasser, Micali and Racko [GMR85] They were rst de ned by Feige, Fiat and Shamir [FFS88] and by Tompa and Woll [TW87] and further re ned by Bellare and Goldreich [BG92] A proof of knowledge is a protocol whereby a veri er is convinced that a certain quantity w that satis es some polynomial time computable relation R is known to the prover. For example, w can be a satisfying assignment to a formula in ....

Martin Tompa and Heather Woll. Random self-reducibility and zero knowledge interactive proofs of possession of information. In 28th Annual Symposium on Foundations of Computer Science, pages 472-482, Los Angeles, California, 12-14 October 1987. IEEE. 133

....speci ed properties. Of particular interest in a cryptographic setting is a witnessindistinguishable proof of knowledge in which the veri er gains no information about which value the prover knows. The following protocol is a proof of knowledge similar to proofs of knowledge in [18] 16] and [24]. In this protocol, given a prime p, a generator g and a number Q, the prover provides a pair (X; Y ) such that XY = Q mod p and proves that he knows the discrete log of either X or Y . To do this, the prover constructs a sequence of pairs (W i ; Z i ) such that W i Z i = Q mod p. For each such ....

M. Tompa and H. Woll. random self-reducibility and zero-knowledge interactive proofs of possession of information. In Proceedings of the 28th FOCS, 1987.

....that is invulnerable to o# line and impersonation attacks is interactive zero knowledge proofs. Goldwasser, Micali, and Racko# introduced the notion of interactive proof and zero knowledge in [4] Since then it has been the subject of intense research see [5] 6] 7] 8] 9] 10] 11] 12] [13]. Particularly, in [7] Feige et. al show an elegant method for using an interactive zero knowledge proof to prove identity in a cryptographic protocol. Informally, an interactive proof is a two party conversation in which an infinitely powerful prover tries to convince a polynomial time ....

M. Tompa and H. Woll, "Random self reducibility and zeroknowledge interactive proofs of knowledge," 28th IEEE Symposium on the Foundation of Computer Science, 1987.

....[23] considered resource bounded versions of autoreducibility in which the resource could be any Blum complexity measure. Several polynomial bounded versions of autoreducibility are particularly important in complexity theory. Motivated by previous work on uniformly random self reducibility [1, 3, 15, 26] and on efficient program checking [9, 10] Yao [29] considered sets that are autoreducible via probabilistic, polynomial time oracle Turing machines, and he called them coherent. Trakhtenbrot proved two things that are valuable in the study of coherence. First he noted that A Phi A is ....

M. Tompa and H. Woll, Random Self-Reducibility and ZeroKnowledge Interactive Proofs of Possession of Information, in Proc. of the 28th Symposium on Foundations of Computer Science (1987), IEEE, 472--482.

....and Wigderson [25] who showed that any NP statement can be proven in zero knowledge, provided that commitment schemes exist. Subsequently, related notions have been proposed; in particular, zero knowledge arguments [8] witness indistinguishability [16] and zero knowledge proofs of knowledge [29, 38, 15]. By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks; in particular, as proposed by Fiat and Shamir [17] it provides the basis for many proofs of identity. A basic question about zero knowledge. A zero knowledge proof of a non trivial language ....

M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information. In 28th FOCS, pages 472--482, 1987.

....be used for cryptographic purposes such as those in [GMW2] Remark 1. 1: The fact that the [GMR1] definition is not closed under composition, and that non uniform verifiers could be used to overcome this problem, was observed independently by Goldwasser, Micali and Rackoff [GMR2] Tompa and Woll [TW] and Feige and Shamir [FS] 1.2 Essential Properties of Zero Knowledge: Other results in this paper concern the triviality of certain classes of zero knowledge proof systems. We will consider a class of proof systems trivial in this context if only languages in BPP can have zero knowledge proof ....

Tompa, M., and H. Woll, "Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information", Proc. 28th FOCS, 1987, pp. 472-482.

....where no verifier should be able to gain any additional knowledge from P . However since our proof already works for the less restrictive notion of zero knowledge we will not need the more restrictive definitions and hence we refer the interested reader to [GMR1] and to [GMR2] O] and [TW] for a discussion of the definitions. Fortnow [F] proved that if L admits a polynomial round proof which is perfect or statistical zero knowledge for a trusted verifier then the complement of L is in IP [2] Our main result is that under the same assumption, L itself is in IP [2] We will prove ....

Tompa, M., and H. Woll,"Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information," Proc. of 28th Symposium on Foundations of Computer Science, pp 472--482, Los Angeles, 1987.

....commitments de ned above, we want to capture the strong notion that B, if he accepts the commitment stage, is assured that A knows the value she committed to. We mean knowledge in the sense of the existence of a knowledge extractor E, in the tradition of the de nitions of a proof of knowledge [TW87,FFS88]. Note, however, that unlike proofs of knowledge, where an NP witness y is being extracted for a predetermined statement x, in our case, no predetermined statement exists. What is being extracted the commited to value is determined only by the transcript t C of the commitment stage. Thus, our de ....

Martin Tompa and Heather Woll. Random self-reducibility and zero knowledge interactive proofs of possession of information. In 28th Annual Symposium on Foundations of Computer Science, pages 472-482, Los Angeles, California, 12-14 October 1987. IEEE.

....Fiat and Shamir and prove that it is indeed a zero knowledge proof of identity. 2 Proofs of knowledge The concept proof of knowledge appeared rst in the seminal paper of Goldwasser, Micali and Racko [7] but they did not give a formal de nition for it. Formal de nitions appear in [5] and [12], but Bellare and Goldreich point out some problems with these de nitions and suggest a better one in [1] The di erences can be quite subtle, as the following quote perhaps suggests: Intuitively, a two party protocol constitutes a system for proofs of knowledge if whenever one party (called ....

M. Tompa and H. Woll, Random Self Reducibility and Zero-knowledge Interactive Proofs of Knowledge, Proceedings of the 28th Symposium on the Foundation of Computer Science, 1987. 5

....did not solve the open problem regarding PKC) The first two were given without the exact notion of security and used exchange of new cryptographic keys via interaction. The third one uses interactive proof systems of knowledge as was formalized by Feige, Fiat and Shamir and 5 Tompa and Woll [11, 34]. The sender proves that she knows the ciphertext and thus the CC attack is reduced to chosen plaintext one. As mentioned above, Micali [27] has clarified that the claims about chosen ciphertext secure cryptosystems made in section 5 of [4] refer to a system with initial interaction as well. ....

M. Tompa and H. Woll, Random Self Reducibility and Zero-knowledge Interactive Proofs of Knowledge, Proceedings of the 28th Symposium on the Foundation of Computer Science, 1987.

....and Wigderson [28] who showed that any NP statement can be proven in zero knowledge, provided that commitment schemes exist. 1 Subsequently, related notions have been proposed; in particular, zero knowledge arguments [9] witness indistinguishability [19] and zero knowledge proofs of knowledge [32, 43, 18, 1]. By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks; in particular, as proposed by Fiat and Shamir [20] it provides the basis for many proofs of identity. A basic question about zero knowledge. A zero knowledge proof of a non trivial language ....

M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information. In 28th FOCS, pages 472--482, 1987.

....where no verifier should be able to gain any additional knowledge from P . However since our proof already works for the less restrictive notion of zero knowledge we will not need the more restrictive definitions and hence we refer the interested reader to [GMR1] and to [GMR2] O] and [TW] for a discussion of the definitions. Fortnow [F] proved that if L admits a polynomial round proof which is perfect or statistical zero knowledge for a trusted verifier then the complement of L is in IP [2] Our main result is that under the same assumption, L itself is in IP [2] We will prove ....

Tompa, M., and H. Woll,"Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information," Proc. of 28th Symposium on Foundations of Computer Science, pp 472--482, Los Angeles, 1987.

....small probability. This procedure is not possible for our language. Finally, our results in conjuction with a result of Oren [O] give evidence that the original definition of zero knowledge proposed in [GMR] is in fact less restrictive then the auxilary input model proposed in sereral papers [O] [TW], GMR2] Oren showed that in the auxillary input model CZK[2] BPP . Our results hold in a model which is only slightly less restrictive than the auxiliary input model (and more restrictive than the original definition) We can conclude that any proof of equivalence between the various models ....

....enough. For example, the prover cannot be sure that the verifier s worktapes are empty when both parties receive the input. For example, the worktapes may not have been cleared after the 7 verifier completed a previous interaction with another prover. This was noted in [GMR2] O] and [TW]. The following definitions handle these cases. Let P V (w; u) denote the random variable for the output of the protocol on input w when V runs in polynomial time in jwj but has additional input u that is unknown to P . Let M(w;u) be the random variable for the output of the simulator on input w; ....

[Article contains additional citation context not shown here]

Tompa, M., and H. Woll, "Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information," Proc. of 28th Symposium on Foundations of 25 Computer Science, pp. 472--482, Los Angeles, 1987. 26

....is because the verifier checker interrogates the prover program by comparing its output on the specific input of interest to its outputs on other correlated random instances. Several variations of this relationship between random self reducibility and proof systems checkers are stated formally in [BLR, LFKN, TW]. These ideas play a crucial role in the characterization of the 2 language recognition power of interactive proof systems [BFL, LFKN, Sha] Currently, one of the most important open questions about checkability is whether NP complete sets are checkable. Feigenbaum and Fortnow [FF] use ....

M. Tompa and H. Woll. Random self-reducibility and zero-knowledge interactive proofs of possession of information. In Proceedings of the 28th IEEE Symposium on Foundations of Computer Science, 472--482, 1987.

....under sequential composition [GoKr96] In cryptographic applications, the cheating verifier may have some 3 additional a priori information. In order to overcome the above problem, the notion of auxiliary input zero knowledge (AIZK) was introduced in [GoOr94] The similar notion appeared in [TW87][GMR89] AIZK is defined by augmenting GMR ZK by an auxiliary input. That is, the simulation requirement is extended to deal with non uniform verifiers, which are allowed to take an auxiliary input (an arbitrary string of polynomial length) The simulator is also allowed to take the same ....

....in the property B3, then 3R ZK satisfies statistical zero knowledgeness as well. The class of languages satisfying the above hypothesis is indeed very large although we don t know whether it is as large as NP languages. It includes the following languages. 1. Random self reducible languages [TW87]. 2. All monotone formulae over random self reducible languages [DDPY94] 3. All languages having a non interactive statistical zero knowledge interactive proof [DDP94] We note that the perfect zero knowledgeness can not be preserved since we can not get rid of the possibility that the ....

M. Tompa and H. Woll, "Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information," Proceedings of 28th FOCS, pp.472-482, 1987. 24 A Blum's Zero-Knowledge Protocol for the Hamiltonian Circuit Problem The following protocol is an atomic ZK interactive proof for the Hamiltonian circuit problem

....such protocols is quite large. For instance, all languages in NP have a computational zero knowledge proof system (e.g. 17, 5] with these properties, and all random self reducible languages and formula compositions over them have perfect zero knowledge proof systems with these properties ([18, 17, 25, 6]) 4 Equivocable commitment schemes We recall the notion of equivocable commitment schemes, by presenting two variants of them: computationally and perfectly equivocable commitment schemes. Then we present an example of a computationally equivocable commitment scheme under the assumption of the ....

....complexity assumptions, efficiency, allowing any polynomial number of proofs, and extending to any public coin protocol. Efficiency. In terms of communication and computation complexity, when applied to several 3 round public coin honest verifier zero knowledge protocols in the literature (e.g. [17, 5, 18, 25, 6]) our proof system has efficiency comparable to that of the original protocol. In particular, contrarily to previously given concurrent zero knowledge proof system, the construction of our protocol does not require any NP reduction, which could potentially blow up the parameters. Considering that ....

[Article contains additional citation context not shown here]

M. Tompa and H. Woll, Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information, Proc. of FOCS 87. This article was processed using the L A T E X macro package with LLNCS style

....for any verifier that outputs after interacting with the prover, there is an algorithm that, without benefit of interacting with the prover, produces outputs from a distribution indistinguishable from that of the verifier. The interested reader can find careful definitions of these notions in [20]. The particular problem of knowledge of factorization will be left on the hook until the last section. The intervening sections contain some interesting historical digressions. 1. Background in Computational Number Theory This section discusses some algorithmic questions related to the ....

....algorithm [16] The other half of the equivalence is more relevant to subsequent sections. The special case of k = 2 distinct prime factors is due to Rabin [17] and will be assumed here for illustrative purposes. The generalization to arbitrary composites N is relatively straightforward [20]. First, note that knowing two square roots modulo N of the same element, one from each of the two pairs of additive inverses, is sufficient to factor N . In particular, if s 2 j t 2 (mod N) and s 6j 6t (mod N ) then g = gcd(s t; N) is a proper factor of N : surely g is a factor of N , so ....

[Article contains additional citation context not shown here]

M. Tompa and H. Woll, "Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information", 28th Annual Symposium on Foundations of Computer Science, Los Angeles, California, October 1987, 472-482.

No context found.

Tompa, M. and H. Woll, "Random Self Reducibility and Zero Knowledge Interactive Proofs of Possession of Information," Proceedings of the 28th IEEE Symposium on Foundations of Computer Science, October 1987. 21

No context found.

M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information. In 28th FOCS, pages 472--482, 1987.

No context found.

M. Tompa and H. Woll, "Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information," Proceedings of 28th FOCS, pp.472-482, 1987. 24 A Blum's Zero-Knowledge Protocol for the Hamiltonian Circuit Problem The following protocol is an atomic ZK interactive proof for the Hamiltonian circuit problem

No context found.

M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information. University of California (San Diego), Computer Science and Engineering Department, Technical Report Number CS92-244, June 1992.

No context found.

Tompa M, Woll H (1987) Random self-reducibility and zeroknowledge interactive proofs of possession of information. In: Proc. 28th IEEE symposium on foundations of computer science, pp 472--482

No context found.

M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information. University of California (San Diego), Computer Science and Engineering Department, Technical Report Number CS92-244, June 1992.

No context found.

Martin Tompa and Heather Woll. Random self-reducibility and zero knowledge interactive proofs of possession of information. In 28th Annual Symposium on Foundations of Computer Science, pages 472--482, Los Angeles, California, 12--14 October 1987. IEEE.

No context found.

M. Tompa and H. Woll, "Random self-reducibility and zero-knowledge interactive proofs of possession of information," Proc. of the IEEE 28th Annual Symposium on Foundations of Computer Science, 1987, pp. 472-- 482.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC