Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs

This paper presents two transformations of public-coin/Arthur-Merlin proof systems which are zero-knowledge with respect to the honest verifier into (public-coin/Arthur-Merlin) proof systems which are zero-knowledge with respect to any verifier.The first transformation applies only to constant-round proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung - see Crypto92) which was used by Damgard. Consequently, the protocols resulting from our transformation have much lower round-complexity than those derived by Damgard's transformation. As in Damgard's transformation, our transformation preserves statistical/perfect zero-knowledge and does not rely on any computational assumptions. However, unlike Damgard's transformation, the new transformation is not applicable to argument systems or to proofs of knowledge.The second transformation can be applied to proof systems of arbitrary number of rounds, but it only preserves statistical zero-knowledge. It assumes the existence of secure commitment schemes and transforms any public-coin proof which is statistical zero-knowledge with respect to the honest into one which is statistical zero-knowledge (in general). It follows, by a result of Ostrovsky and Wigderson (1993), that any language which is "hard on the average" and has a public-coin proof system which is statistical zero-knowledge with respect to the honest verifier, has a proof system which is statistical zero-knowledge (with respect to any verifier).

[1]  Oded Goldreich,et al.  Interactive proof systems: Provers that never fail and random selection , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[2]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[3]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[4]  Rafail Ostrovsky,et al.  One-way functions are essential for non-trivial zero-knowledge , 1993, [1993] The 2nd Israel Symposium on Theory and Computing Systems.

[5]  Rafail Ostrovsky,et al.  Fair Games against an All-Powerful Adversary , 1990, Advances In Computational Complexity Theory.

[6]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[7]  Ivan Damgård,et al.  Hashing Functions can Simplify Zero-Knowledge Protocol Design (too) , 1994 .

[8]  Ivan Damgård,et al.  Interactive Hashing can Simplify Zero-Knowledge Protocol Design Without Computational Assumptions (Extended Abstract) , 1993, CRYPTO.

[9]  Rafail Ostrovsky,et al.  The (true) complexity of statistical zero knowledge , 1990, STOC '90.

[10]  Shafi Goldwasser,et al.  Private coins versus public coins in interactive proof systems , 1986, STOC '86.

[11]  Nathan Linial,et al.  Fault-tolerant computation in the full information model , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[12]  Moti Yung,et al.  Direct Minimum-Knowledge Computations , 1987, CRYPTO.

[13]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[14]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[15]  Moti Yung,et al.  Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds , 1989, ICALP.

[16]  Rafail Ostrovsky,et al.  Interactive Hashing Simplifies Zero-Knowledge Protocol Design , 1994, EUROCRYPT.

[17]  Silvio Micali,et al.  Everything Provable is Provable in Zero-Knowledge , 1990, CRYPTO.

[18]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[19]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[20]  GoldreichOded,et al.  Definitions and properties of zero-knowledge proof systems , 1994 .

[21]  Rafail Ostrovsky,et al.  Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract) , 1992, CRYPTO.

[22]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.