# How to Prove All NP Statements in Zero-Knowledge and a Methodology of Cryptographic Protocol Design (Extended Abstract)

## Abstract

Under the assumption that encryption functions exist, we show that all languages in NP possess zero-knowledge proofs. That is, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula. In particular, without yielding neither a satisfying assignment nor weaker properties such as whether there is a satisfying assignment in which *x* _{1} = *TRUE*, or whether there is a satisfying assignment in which *x* _{1} = *x* _{3} etc.

The above result allows us to prove two fundamental theorems in the field of (two-party and multi-party) cryptographic protocols. These theorems yield automatic and efficient transformations that, given a protocol that is correct with respect to an extremely weak adversary, output a protocol correct in the most adversarial scenario. Thus, these theorems imply powerful methodologies for developing two-party and multi-party cryptographic protocols.

## Keywords

Proof System Cryptographic Protocol Satisfying Assignment Oblivious Transfer Common Input## References

- [AHU]Aho, A.V., J.E. Hopcroft, and J.D. Ullman,
*The Design and Analysis of Computer Algorithms*, Addison-Wesley Publ. Co., 1974.Google Scholar - [ACGS]Alexi, W., B. Chor, O. Goldreich, and C.P. Schnorr, “RSA and Rabin Functions: Certain Parts Are As Hard As The Whole”, to appear in
*SIAM Jour. on Computing*. Extended Abstract in*Proc. 25th FOCS*, 1984.Google Scholar - [AGY]Alon, N., Z. Galil, and M. Yung, “A Fully Polynomial Simultaneous Broadcast in the Presence of Faults”, preprint, 1985.Google Scholar
- [B]Babai, L., “Trading Group Theory for Randomness”,
*Proc. 17th STOC*, 1985, pp. 421–429.Google Scholar - [Bena]Benaloh, (Cohen) J.D., “Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret”, these proceedings.Google Scholar
- [Blu]Blum, M., “Coin Flipping by Phone”,
*IEEE Spring COMPCOM*, pp. 133–137, February 1982.Google Scholar - [BM]Blum, M., and Micali, S., “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits”,
*SIAM Jour. on Computing*, Vol. 13, 1984, pp. 850–864.zbMATHCrossRefMathSciNetGoogle Scholar - [BC1]Brassard, G., and C. Crepeau, “Zero-Knowledge Simulation of Boolean Circuits”, manuscript 1986.Google Scholar
- [BC2]Brassard, G., and C. Crepeau, “Non-Transitive Transfer of Confidence: A Perfect Zero-Knowledge Interactive Protocol for SAT and Beyond”, manuscript, 1986.Google Scholar
- [BD]Broder, A.Z., and D. Dolev, “Flipping Coins in Many Pockets (Byzantine Agreement on Uniformly Random Values”,
*Proc. 25th FOCS*, 1984, pp. 157–170.Google Scholar - [Cha]Chaum, D., “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How”, these proceedings.Google Scholar
- [CEGP]Chaum, D., J.H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating Possession of a Discrete Logarithm without Revealing It”, these proceedings.Google Scholar
- [CGG]Chor, B., O. Goldreich, and S. Goldwasser, “The Bit Security of Modular Squaring given Partial Factorization of the Modulos”,
*Proc. of Crypto85*, to appear (1986).Google Scholar - [CGMA]Chor, B., S. Goldwasser, S. Micali, and B. Awerbuch, “Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults”,
*Proc. 26th FOCS*, 1985, pp. 383–395.Google Scholar - [C]Cook, S.A., “The Complexity of Theorem Proving Procedures”,
*Proc. 3rd STOC*, pp. 151–158, 1971.Google Scholar - [DH]Diffie, W., and M.E. Hellman, “New Directions in Cryptography”,
*IEEE Trans. on Inform. Theory*, Vol. IT-22, No. 6, November 1976, pp. 644–654.CrossRefMathSciNetGoogle Scholar - [EGL]Even, S., O. Goldreich, and A. Lempel, “A Randomized Protocol for Signing Contracts”,
*CACM*, Vol. 28, No. 6, 1985, pp. 637–647.MathSciNetGoogle Scholar - [F]Feldman, P., “A Practical Scheme for Verifiable Secret Sharing”, manuscript, 1986.Google Scholar
- [FM]Feldman, P., and S., Micali, in preparation, 1985.Google Scholar
- [FMRW]Fischer, M., S. Micali, C. Rackoff, and D.K. Wittenberg, “An Oblivious Transfer Protocol Equivalent to Factoring”, in preparation. Preliminary versions were presented in
*EuroCrypt84*(1984), and in the*NSF Workshop on Mathematical Theory of Security*, Endicott House (1985).Google Scholar - [GHY]Galil, Z., S. Haber, and M. Yung, “A Private Interactive Test of a Boolean Predicate and Minimum-Knowledge Public-Key Cryptosystems”,
*Proc. 26th FOCS*, 1985, pp. 360–371.Google Scholar - [GJ]Garey, M.R., and D.S. Johnson,
*Computers and Intractability: A Guide to the Theory of NP-Completeness*, W.H. Freeman and Company, New York, 1979.zbMATHGoogle Scholar - [G]Goldreich, O., “A Zero-Knowledge Proof that a Two-Prime Moduli Is Not a Blum Integer”, unpublished manuscript, 1985.Google Scholar
- [GGM]Goldreich, O., S. Goldwasser, and S. Micali, “How to Construct Random Functions”,
*Proc. of 25th Symp. on Foundation of Computer Science*, 1984, pp. 464–479. To appear in*Jour. of ACM*.Google Scholar - [GMW]Goldreich, O., S. Micali, and A. Wigderson, “Proofs that Yield Nothing But their Validity”, in preparation. An extended abstract will appear in the proceedings of
*27th FOCS*, 1986.Google Scholar - [GMW2]Goldreich, O., S. Micali, and A. Wigderson, “How to Automatically Generate Correct and Private Fault-Tolerant Protocols”, in preparations.Google Scholar
- [GM]Goldwasser, S., and S. Micali, “Probabilistic Encryption”,
*JCSS*, Vol. 28, No. 2, 1984, pp. 270–299.zbMATHMathSciNetGoogle Scholar - [GMR]Goldwasser, S., S. Micali, and C. Rackoff, “Knowledge Complexity of Interactive Proofs”,
*Proc. 17th STOC*, 1985, pp. 291–304.Google Scholar - [GMRiv]Goldwasser, S., S. Micali, and R.L. Rivest, “A
*Paradoxical*Signature Scheme”,*Proc. 25th FOCS*, 1984.Google Scholar - [GS]Goldwasser, S., and M. Sipser, “Arthur Merlin Games versus Interactive Proof Systems”,
*Proc. 18th STOC*, pp. 59–68, 1986.Google Scholar - [K]Karp, R.M., “Reducibility among Combinatorial Problems”,
*Complexity of Computer Computations*, R.E. Miller and J.W. Thatcher (eds.), Plenum Press, pp. 85–103, 1972.Google Scholar - [L]Levin, L.A., “Universal Search Problems”,
*Problemy Peredaci Informacii 9*, pp. 115–116, 1973. Translated in*problems of Information Transmission 9*, pp. 265–266.MathSciNetzbMATHGoogle Scholar - [RSA]Rivest, R.L., Shamir, A., and Adleman, L., “A Method for Obtaining Digital Signatures and Public Key Cryptosystems”,
*Comm. of the ACM*, Vol. 21, February 1978, pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar - [R1]Rabin, M.O., “Digitalized Signatures as Intractable as Factorization”, MIT/LCS/TR-212, 1979.Google Scholar
- [R2]Rabin, M.O., “How to Exchange Secrets by Oblivious Transfer”, unpublished manuscript, 1981.Google Scholar
- [Sha]Shamir, A., “How to Share a Secret”,
*CACM*, Vol. 22, 1979, pp. 612–613.zbMATHMathSciNetGoogle Scholar - [Y]Yao, A.C., “Theory and Applications of Trapdoor Functions”,
*Proc. of the 23rd IEEE Symp. on Foundation of Computer Science*, 1982, pp. 80–91.Google Scholar