Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs

  title={Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs},
  author={Ivan Damg{\aa}rd and Oded Goldreich and Tatsuaki Okamoto and Avi Wigderson},
This paper presents two transformations of public-coin/Arthur-Merlin proof systems which are zero-knowledge with respect to the honest verifier into (public-coin/Arthur-Merlin) proof systems which are zero-knowledge with respect to any verifier.The first transformation applies only to constant-round proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung - see… 
Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge
We show how to transform any interactive proof system which is statistical zero-knowledge with respect to the honest-verifier, into a proof system which is statistical zero-knowledgewith respect to
On transformation of interactive proofs that preserve the prover's complexity
  • S. Vadhan
  • Computer Science, Mathematics
    STOC '00
  • 2000
It is argued that the increase in prover complexity incurred by the transformation of Furer et al.
Generic yet Practical ZK Arguments from any Public-Coin HVZK
This work develops generic yet practical 3-round perfectly-hiding equivocal (string) commitment scheme under any OWF admitting -proto cols, which is possibly of independent value and shows that three rounds is the lower-bound of round-complexity for equvocal commitment schemes.
Keeping the SZK-Verifier Honest Unconditionally
This paper shows that using direct properties of a zero-knowledge protocol itself, one may impose a honest behavior on the verifier (without additional cryptographic tools) when using a non-uniform simulation model of SZK.
Practical zero-knowledge protocols based on the discrete logarithm assumption
This work constructs zero-knowledge arguments with sublinear communication complexity, and achievable computational demands, and constructs new protocols which compare very favorably to the current state of the art.
Generic yet Practical ( Statistical ) Zero-Knowledge from any Public-Coin HVZK ∗ †
A generic yet practical three-round perfectly-hiding equivocal (string) commitment scheme under any OWF admitting Σ-protocols, which is of independent value and the roundcomplexity (i.e., three rounds) is optimal for black-box Equivocal commitment schemes.
A Study of Statistical Zero-Knowledge Proofs
This thesis is a detailed investigation of statistical zero-knowledge proofs, which are zero- knowledge proofs in which the condition that the verifier “learns nothing” is interpreted in a strong statistical sense.
Efficient Zero-Knowledge Proof Systems
An overview of some central techniques behind the construction of efficient zero-knowledge proof systems is given, where the prover convinces the verifier that the statement is true but does not leak any other information.
Zero-Knowledge Proof for Knowledge of RLWE (Ring-Learning with Errors) Secret Keys
A cryptanalysis of RLWE key exchange is provided, presenting two polynomial time strategies to exploit key reuse and a defense against such exploits is proposed by presenting a Zero Knowledge authentication protocol to verify the prover’s knowledge of a secret corresponding to his public key.
Witness-Indistinguishability Against Quantum Adversaries 6 . 845 Quantum Complexity Theory – Project Report
This report characterize witness-indistinguishability against quantum adversaries and surveys the main results of research aimed at characterizing what happens to zero-knowledge when quantum adversaries are possible.


Interactive Hashing can Simplify Zero-Knowledge Protocol Design Without Computational Assumptions (Extended Abstract)
We show that any 3-round protocol (in general, any bounded round protocol) in which the verifier sends only random bits, and which is zero-knowledge against an honest verifier can be transformed into
Private coins versus public coins in interactive proof systems
The probabilistic, nondeterministic, polynomial time Turing machine is defined and shown to be equivalent in power to the interactive proof system and to BPP much as BPP is the Probabilistic analog to P.
Interactive Hashing Simplifies Zero-Knowledge Protocol Design
This paper shows how a compiler which transforms protocols proven secure only with respect to the honest verifier into protocols which are secure against any (even cheating) verifier can be constructed based on any one-way permutation using the recent method of interactive hashing.
Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds
This paper gives the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors of p−1, or more generally under the assumptions that one-way group homomorphisms exist).
Hashing Functions can Simplify Zero-Knowledge Protocol Design (too)
In Crypto93 , Damgard showed that any constant-round protocol in which the verifier sends only independent, random bits and which is zero-knowledge against the honest verifier can be transformed into
Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
A general construction of zero-knowledge arguments, which can be based on any one-way permutation, is shown, which is efficient both players can execute only polynomial-time programs during the protocol and the security achieved is on-line.
On the Composition of Zero-Knowledge Proof Systems
It is proved that three-round interactive proofs and constant-round Arthur--Merlin proofs that are black-box simulation zero-knowledge exist only for languages in BPP, and it follows that the "parallel versions" of the first interactive proofs systems presented for quadratic residuosity, graph isomorphism, and any language in NP, are not black- box simulationzero-knowledge, unless the corresponding languages are in B PP.
The (true) complexity of statistical zero knowledge
It is shown that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge and is able to simplify statistical zero-knowledge and to better characterize, on many counts, the class of languages that possess statisticalzero-knowledge proofs.
Zero Knowledge Proofs of Knowledge in Two Rounds
These protocols rely on two novel ideas: One for constructing commitment schemes, the other for constructing subprotocols which are not known to be zero knowledge, yet can be proven not to reveal useful information.
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.