In this paper we re-examine the nature of zero-knowledge. We show evidences that the classic simulation based definitions of zeroknowledge (simulation zero-knowledge) may be somewhat too strong to include some “nice” protocols in which the malicious verifier seems to learn nothing but we do not know how to construct a zero-knowledge simulator for it. We overcome this problem by introducing reduction zero-knowledge. We show that reduction zero-knowledge lies between simulation zero-knowledge and witness indistinguishability. That is, any simulation zero-knowledge protocol is also reduction zero-knowledge and reduction zero-knowledge implies witness indistinguishability but the opposite direction is not guaranteed to be true.
There are two major contributions of reduction zero-knowledge. One is that it introduces reduction between different protocols and extends the approaches to characterize the nature of zero-knowledge. Note that reduction is a widely used paradigm in the field of computer science. Another is that in contrast to normal simulation zero-knowledge reduction zero-knowledge can be made more efficient (especially for the verifier) and can be constructed under weaker assumption while losing little security than a corresponding simulation zero-knowledge protocol.
In this paper a 4-round public-coin reduction zero-knowledge proof system for NP is presented and in practice this protocol works in 3 rounds since the first verifier’s message can be fixed once and for all.
Keywordszero-knowledge non-interactive zero-knowledge witness indistinguishability zap bit commitment
Unable to display preview. Download preview PDF.
- 1.M. Blum. Coin Flipping by Telephone. In Proc. IEEE Spring COMPCOM, pp. 133–137. IEEE, 1982.Google Scholar
- 2.B. Barak. How to Go Beyond the Black-Box Simulation Barrier. In FOCS 2001.Google Scholar
- 5.M. Blum, P. Feldman and S. Micali. Non-interactive Zero-Knowledge and Its Applications. In STOC 1988, pp. 103–112.Google Scholar
- 6.B. Barak, O. Goldreich, S. Goldwasser and Y. Lindell. Resettably-Sound Zero-Knowledge and Its Applications. In FOCS’01.Google Scholar
- 7.R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable Zero-Knowledge. In STOC 2000.Google Scholar
- 8.A. D. Santis, G. D. Crescenzo, R. Ostrovsky, G. Persiano and A. Sahai. Robust Non-Interactive Zero-Knowledge. In Crypto 2001, pp.566–598.Google Scholar
- 9.C. Dwork and M. Naor. Zaps and Their Applications. In FOCS 2000.Google Scholar
- 10.C. Dwork, M. Naor and A. Sahai. Concurrent Zero-Knowledge. In STOC 1998.Google Scholar
- 13.Feige, Lapidot and Shamir. Multiple Non-Interactive Zero-Knowledge Proofs Under General Assumptions. SIAM Journal on Computing, 29, 1999.Google Scholar
- 14.U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In STOC’90, pp. 77–94.Google Scholar
- 15.O. Goldreich. Foundation of Cryptography-Basic Tools. Cambridge Press, 2001.Google Scholar
- 16.O. Goldreich and H. Krawczky. On the Composition of Zero-Knowledge Proof Systems. SIAM Journal on Computing, Vol., 25, No. 1, pp. 1–32, 1994.Google Scholar
- 21.S. Halevi and S. Micali. Practical and Provably-Secure Commitment Schemes From Collision-Free Hashing. In Crypto’96.Google Scholar
- 23.J. Kilian, E. Petrank, R. Richardson. Concurrent and Resettable Zero-Knowledge in Poly-logarithmic Rounds. In STOC 2001.Google Scholar
- 24.S. Micali and L. Reyzin. Soundness in the Public-Key Model. In Crypto 2001.Google Scholar
- 25.S. Micali and L. Reyzin. Min-Round Resettable Zero-Knowledge in the Public-Key Model. In EuroCrypt 2001.Google Scholar
- 26.R. Richardson and J. Killian. On the Concurrent Composition of Zero-Knowledge Proofs. In EuroCrypt 1999.Google Scholar