TY - GEN

T1 - On zero-knowledge proofs

T2 - 32nd Annual ACM Symposium on Theory of Computing, STOC 2000

AU - Di Crescenzo, Giovanni

AU - Sakurai, Kouichi

AU - Yung, Moti

PY - 2000

Y1 - 2000

N2 - "Zero-knowledge proofs of membership" are methods for proving that a string x is in a language L without revealing any additional information. This is a fundamental notion that has proven to be useful and applicable in many settings. Two main variants have been considered in the literature. The first, "zero-knowledge proofs of decision power", consists of methods for proving the knowledge of whether a string x is in a language L or not without revealing any additional information. The second, "result- indistinguishable zero-knowledge proofs of decision", consists of methods for transfering whether a string x is in a language L or not without revealing any additional information. Due to the quite stringent definitions of these two variants, it seemed that the class of languages having zero-knowledge proofs of membership was not as large as any of the classes of languages having zero-knowledge protocols in these two models. In this paper we give strong indications that this may not be the case. Our main result is that any language having what we call "meet-the challenge" game as a perfect (statistical) zk proof of membership, has also such a perfect (statistical) zk proof in the two "decision proof" models. This can be extended to prove, among other things, that honest-verifier statistical zk proof of membership for a language implies a honest-verifier statistical zk protocol in the two "decision" models. Technically, we introduce new protocol techniques, such as "language-based coin flipping protocols" that may have other applications.

AB - "Zero-knowledge proofs of membership" are methods for proving that a string x is in a language L without revealing any additional information. This is a fundamental notion that has proven to be useful and applicable in many settings. Two main variants have been considered in the literature. The first, "zero-knowledge proofs of decision power", consists of methods for proving the knowledge of whether a string x is in a language L or not without revealing any additional information. The second, "result- indistinguishable zero-knowledge proofs of decision", consists of methods for transfering whether a string x is in a language L or not without revealing any additional information. Due to the quite stringent definitions of these two variants, it seemed that the class of languages having zero-knowledge proofs of membership was not as large as any of the classes of languages having zero-knowledge protocols in these two models. In this paper we give strong indications that this may not be the case. Our main result is that any language having what we call "meet-the challenge" game as a perfect (statistical) zk proof of membership, has also such a perfect (statistical) zk proof in the two "decision proof" models. This can be extended to prove, among other things, that honest-verifier statistical zk proof of membership for a language implies a honest-verifier statistical zk protocol in the two "decision" models. Technically, we introduce new protocol techniques, such as "language-based coin flipping protocols" that may have other applications.

UR - http://www.scopus.com/inward/record.url?scp=0033701729&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0033701729&partnerID=8YFLogxK

U2 - 10.1145/335305.335336

DO - 10.1145/335305.335336

M3 - Conference contribution

AN - SCOPUS:0033701729

SN - 1581131844

SN - 9781581131840

T3 - Proceedings of the Annual ACM Symposium on Theory of Computing

SP - 255

EP - 264

BT - Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, STOC 2000

Y2 - 21 May 2000 through 23 May 2000

ER -