Witness indistinguishable and witness hiding protocols

A two par ty protocol in which par ty A uses one of several secret witnesses to an NP assertion is witness indistinguishable if par ty B cannot tell which witness A is actually using. The protocol is witness hiding if by the end of the protocol B cannot compute any new witness which he did not know before the protocol began. Witness hiding is a natural security requirement, and can replace zero knowledge in many cryptographic protocols. We prove two central results: 1. Unlike zero knowledge protocols, witness indistinguishablity is preserved under arbi t rary composition of protocols, including parallel execution. 2. If a s ta tement has at least two independent witnesses, then any witness indistinguishable protocol for this s ta tement is also

[1]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[2]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1988, Journal of Cryptology.

[3]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[4]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[5]  Mihir Bellare,et al.  New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs , 1989, CRYPTO.

[6]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[7]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[8]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge Proof Systems , 1987, CRYPTO.

[9]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[10]  Moni Naor,et al.  Bit Commitment Using Pseudo-Randomness , 1989, CRYPTO.

[11]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[12]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[13]  Martín Abadi,et al.  On Generating Solved Instances of Computational Problems , 1988, CRYPTO.

[14]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[15]  Moti Yung,et al.  Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds , 1989, ICALP.

[16]  D. H. Mellor,et al.  Real time , 1981 .