On zero-knowledge proofs (extended abstract): “from membership to decision”

"Zero-knowledge proofs of membership" are methods for proving tha t a string x is in a language L without revealing any additional information. This is a fundamental notion that has proven to be useful and applicable in many settings. Two main variants have been considered in the literature. The first, "zero-knowledge proofs of decision power", consists of methods for proving the knowledge of whether a string x is in a language L or not without revealing any additional information. The second, "result-indistinguishable zero-knowledge proofs of decision", consists of methods for transfering whether a string x is in a language L or not without revealing any additional information. Due to the quite stringent definitions of these two variants, i t seemed tha t the class of languages having zero-knowledge proofs of membership was not as large as any of the classes of languages having zero-knowledge protocols in these two models. In this paper we give strong indications tha t this may not be the case. Our main result is tha t any language having what we call "meet-the challenge" game as a perfect (statistical) zk proof of membership, has also such a perfect (statistical) zk proof in the two "decision proof" models. This can be extended to prove, among other things, tha t honest-verifier statistical zk proof of membership for a language implies a honest-verifier statistical zk protocol in the two "decision" models. Technically, we introduce new protocol techniques, such as "language-based coin' flipping protocols" tha t may have other applications.

[1]  Rafail Ostrovsky,et al.  One-way functions are essential for non-trivial zero-knowledge , 1993, [1993] The 2nd Israel Symposium on Theory and Computing Systems.

[2]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[3]  Giovanni Di Crescenzo,et al.  Result-Indistinguishable Zero-Knowledge Proofs: Increased Power and Constant-Round Protocols , 1998, STACS.

[4]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[5]  Giovanni Di Crescenzo,et al.  Checking Programs Discreetly: Demonstrating Result-Correctness Efficiently while Concealing it , 1998, ISAAC.

[6]  Moti Yung,et al.  Zero-Knowledge Proofs of Computational Power (Extended Summary) , 1989, EUROCRYPT.

[7]  Oded Goldreich,et al.  Comparing entropies in statistical zero knowledge with applications to the structure of SZK , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[8]  Tatsuaki Okamoto,et al.  On relationships between statistical zero-knowledge proofs , 1996, STOC '96.

[9]  Rafail Ostrovsky,et al.  Perfect zero-knowledge in constant rounds , 1990, STOC '90.

[10]  Giovanni Di Crescenzo,et al.  Zero-knowledge proofs of decision power: new protocols and optimal round-complexity , 1997, ICICS.

[11]  Giovanni Di Crescenzo,et al.  Proofs of membership vs. proofs of knowledge , 1998, Proceedings. Thirteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat. No.98CB36247).

[12]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[13]  Moti Yung,et al.  Minimum-Knowledge Interactive Proofs for Decision Problems , 1989, SIAM J. Comput..

[14]  Manuel Blum,et al.  Designing programs that check their work , 1989, STOC '89.

[15]  Giovanni Di Crescenzo,et al.  On monotone formula closure of SZK , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[16]  M. Naor,et al.  Perfect zero-knowledge ar-guments for NP can be based on general complexity assumptions , 1998 .

[17]  Ivan Damgård,et al.  Interactive Hashing can Simplify Zero-Knowledge Protocol Design Without Computational Assumptions (Extended Abstract) , 1993, CRYPTO.

[18]  Amit Sahai,et al.  A complete promise problem for statistical zero-knowledge , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[19]  Rafail Ostrovsky,et al.  Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract) , 1992, CRYPTO.

[20]  Moti Yung,et al.  Direct Minimum-Knowledge Computations , 1987, CRYPTO.

[21]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[22]  Moni Naor,et al.  Bit Commitment Using Pseudo-Randomness , 1989, CRYPTO.

[23]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[24]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[25]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[26]  Alfredo De Santis,et al.  Zero-Knowledge Proofs of Computational Power in the Shared String Model , 1994, ASIACRYPT.

[27]  Martín Abadi,et al.  On hiding information from an oracle , 1987, STOC '87.

[28]  Silvio Micali,et al.  Everything Provable is Provable in Zero-Knowledge , 1990, CRYPTO.

[29]  Giovanni Di Crescenzo,et al.  Image Density is Complete for Non-Interactive-SZK (Extended Abstract) , 1998, ICALP.

[30]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).