Broadcast Interactive Proofs
In this paper we extend the notion of (single-verifier) interactive zero-knowledge proofs to (multi-verifier) broadcast proofs. In our scheme the prover broadcasts messages to many verifiers simultaneously. We consider two cases: one for which the number of rounds of messages exchanged is unbounded (as a function of the length of the common input x), and one for which it is constant. Compared to repeated single-verifier proofs (one proof for each verifier), the saving in broadcast bits is of the order of the number of verifiers in the first case, provided there are enough verifiers. More precisely, if the number of verifiers exceeds log |x| then there is “practically” no extra cost in broadcast bits by further increasing the number of verifiers. In the second case the saving in the number of rounds is “practically” |x|/log|x|. An added feature of broadcast proofs of the second type is that they are sabotage-free.
Our scheme makes use of a network which directs the messages of the verifiers to the prover. The universality of the scheme derives from the way in which the network handles collisions.
KeywordsTuring Machine Final Paper Common Input Interactive Proof Incoming Call
- L. M. Adleman and K. S. McCurley. Open problems in number theoretic complexity. In D. Johnson, T. Nishizeki, A. Nozaki, and H. Wilf, editors, Discrete Algorithms and Complexity, Proceedings of the Japan-US Joint Seminar (Perspective in Computing series, Vol. 15, pp. 263–286. Academic Press Inc., Orlando, Florida, June 4–6, Kyoto, Japan 1986.Google Scholar
- M. Bellare, S. Micali, and R. Ostrovsky. Perfect zero-knowledge in constant rounds. In Proceedings of the twenty second annual ACM Symp. Theory of Computing, STOC, pp. 482–493, May 14–16, 1990.Google Scholar
- M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson. Multi-prover interactive proofs: How to remove intractability assumptions. In Proceedings of the twentieth annual ACM Symp. Theory of Computing, STOC, pp. 113–131, May 2–4, 1988.Google Scholar
- M. Blum, A. De Santis, S. Micali, and G. Persiano. Non-interactive zero-knowledge, December 20, 1989.Google Scholar
- A. De Santis, S. Micali, and G. Persiano. Non-interactive zero-knowledge with preprocessing. In S. Goldwasser, editor, Advances in Cryptology — Crypto’ 88, Proceedings (Lecture Notes in Computer Science 403), pp. 269–282. Springer-Verlag, 1990.Google Scholar
- Y. Desmedt and M. Yung. Arbitrated unconditionally secure authentication can be unconditionally protected against arbiter’s attacks. Presented at Crypto’ 90, August 12–15, 1990, Santa Barbara, California, U.S.A., to appear in: Advances in Cryptology, Proc. of Crypto’ 90 (Lecture Notes in Computer Science), Springer-Verlag.Google Scholar
- A. Fiat. Broadcast encryption issues. Presented at the rump session of Crypto’ 90, August 12–15, 1990, Santa Barbara, California, U.S.A., 1990.Google Scholar
- A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor, Advances in Cryptology, Proc. of Crypto’86 (Lecture Notes in Computer Science 263), pp. 186–194. Springer-Verlag, 1987.Google Scholar
- L.C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. G. Günther, editor, Advances in Cryptology, Proc. of Eurocrypt’ 88 (Lecture Notes in Computer Science 330), Springer-Verlag (1988), pp. 123–128.Google Scholar
- K. Kurosawa and S. Tsujii. Multi-language zero-knowledge interactive proof system. Presented at Crypto’ 90, August 12–15, 1990, Santa Barbara, California, U.S.A., to appear in: Advances in Cryptology, Proc. of Crypto’ 90 (Lecture Notes in Computer Science), Springer-Verlag.Google Scholar