On the complexity of bounded-interaction and noninteractive zero-knowledge proofs

We consider the basic cryptographic primitive known as zero-knowledge proofs on committed bits. In this primitive, a prover P commits to a set of bits, and then at a later time convinces a verifier V that some property /spl Pscr/ holds for a subset of these bits. It is known how to implement this primitive based on an ordinary bit-committal primitive, but the standard implementations involve a great deal of interaction between the prover and the verifier. We introduce new implementations that require markedly less interaction. We implement bounded-interaction proofs on committed bits, generalizing a model of A. De Micali et al. (1988). For all security parameters, our implementations require only a lg/sup 2/ (n) overhead over the best known circuit-based interactive implementations; for sufficiently large security parameters this gap drops to a lg(n) factor.<<ETX>>