Parallel Divertibility of Proofs of Knowledge (Extended Abstract)

An interactive proof is transferred if a person, while interacting with the prover, convinces a (second) verifier of the statement. Divertible proof systems, first introduced by Desmedt et al., offer a more subtle way of transferring a proof: the messages are blinded such that neither the prover nor the second verifier can ever discover what is going on. While the ability to transfer (and divert) interactive proofs is useful in many situations it also has the disadvantage that the prover has less control over the use of the proofs. This paper investigates (and limits) the possibilities of transferring and diverting certain interactive proofs. In particular it is shown that zero-knowledge proof systems based on a polynomial number of sequential iterations of a three-move protocol cannot be transferred (and hence diverted) to two independent third parties even with just a very small (polynomial fraction) probability of success unless the proof is insecure for the prover. Furthermore, if the three move protocol in itself constitutes a witness hiding proof of knowledge it is shown that it cannot be diverted to two independent third parties simultaneously with overwhelming probability. This result rules out one possible attack on the blind signature scheme suggested by Ohta and Okamoto.

[1]  Chen Lidong,et al.  Witness Hiding Proofs and Applications , 1994 .

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[4]  Samy Bengio,et al.  Special Uses and Abuses of the Fiat-Shamir Passport Protocol , 1987, CRYPTO.

[5]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[6]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[7]  Kazuo Ohta,et al.  Divertible Zero Knowledge Interactive Proofs and Commutative Random Self-Reducibility , 1990, EUROCRYPT.

[8]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[9]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[10]  Kouichi Sakurai,et al.  Any Language in IP Has a Divertable ZKIP , 1991, ASIACRYPT.

[11]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[12]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1988, Journal of Cryptology.

[13]  Mike Burmester,et al.  Yvo Desmedt: All Languages in NP Have Divertible Zero-Knowledge Proofs and Arguments Under Cryptographic Assumptions , 1990, EUROCRYPT.