# Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems

@article{Goldreich1991ProofsTY, title={Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems}, author={Oded Goldreich and Silvio Micali and Avi Wigderson}, journal={J. ACM}, year={1991}, volume={38}, pages={691-729} }

In this paper the generality and wide applicability of Zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff is demonstrated. These are probabilistic and interactive proofs that, for the members of a language, efficiently demonstrate membership in the language without conveying any additional knowledge. All previously known zero-knowledge proofs were only for number-theoretic languages in NP fl CONP. Under the assumption that secure encryption functions exist or by using…

## 1,415 Citations

Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations

- Mathematics, Computer ScienceICALP
- 2000

It is shown that assuming the hardness of factoring Blum integers is sufficient for such constructions of non-interactive zero-knowledge proofs of knowledge, namely, methods for writing a proof that on input x the prover knows y such that relation R(x, y) holds.

Deterministic-Prover Zero-Knowledge Proofs

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

This paper proves the existence of deterministicprover auxiliary-input honest-verifier zero-knowledge for any NP language, under standard assumptions, and sheds light on the necessity of randomness in zero knowledge in settings where either the verifier is honest or there is no auxiliary input.

On the communication complexity of zero-knowledge proofs

- Computer Science, MathematicsJournal of Cryptology
- 2007

This paper studies the concrete complexity of the known general methods for constructing zero-knowledge proofs, and establishes that circuit-based methods, which can be applied in either the GMR or the BCC model, have the potential of producing proofs which could be used in practice.

Efficient Perfectly Sound One-message Zero-Knowledge Proofs via Oracle-aided Simulation

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

New efficient one-message proof systems for several practical applications are put forth, like proving that an El Gamal ciphertext decrypts to a given value and correctness of a shuffle and a perfectly sound non-interactive ZAP, WH and HZK proof system for NP relations from number-theoretic assumptions over multiplicative groups of hidden order.

Practical zero-knowledge protocols based on the discrete logarithm assumption

- Computer Science, Mathematics
- 2014

This work constructs zero-knowledge arguments with sublinear communication complexity, and achievable computational demands, and constructs new protocols which compare very favorably to the current state of the art.

Zero Knowledge Proofs for Exact Cover and 0-1 Knapsack

- Computer Science, Mathematics
- 2012

This paper designs ZKPs for those two NP problems: exact cover and 0-1 knapsack and designs a ZKP for Graph Three-colorability.

A uniform-complexity treatment of encryption and zero-knowledge

- Computer Science, MathematicsJournal of Cryptology
- 2007

It is shown that uniform variants of the two definitions of security, presented in the pioneering work of Goldwasser and Micali, are in fact equivalent, and how to construct such zero-knowledge proof systems for every language inNP, using only a uniform complexity assumption.

A study of perfect zero-knowledge proofs

- Mathematics, Computer Science
- 2008

It is proved that all the known problems admitting perfect zero-knowledge (PZK) proofs can be characterized as non-interactive instance-dependent commitment schemes, and this result is used to generalize and strengthen previous results, as well as to prove new results about PZK problems.

Zero Knowledge Proofs Theory and Applications

- Computer Science, Mathematics
- 2020

The theory underlying Zero Knowledge Proofs is surveyed, developing the idea of interactive proving protocols, which will then be formalized first in Interactive Proofs and then in more complex knowledge withholding schemes, such as Perfect and Computational Zero knowledge Proofs.

A Study of Statistical Zero-Knowledge Proofs

- Computer Science, Mathematics
- 2021

This thesis is a detailed investigation of statistical zero-knowledge proofs, which are zero- knowledge proofs in which the condition that the verifier “learns nothing” is interpreted in a strong statistical sense.

## References

SHOWING 1-10 OF 140 REFERENCES

Proofs that yield nothing but their validity and a methodology of cryptographic protocol design

- Computer Science, Mathematics27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
- 1986

This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.

Perfect zero-knowledge languages can be recognized in two rounds

- Computer Science, Mathematics28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
- 1987

It is proved that if L admits a zeroknowledge proof then L can also be recognized by a two round interactive proof, and study complexity theoretic implications of a language having this property.

Perfect zero-knowledge in constant rounds

- Computer Science, MathematicsSTOC '90
- 1990

This paper shows that any random self-reducible language has a 5 round perfect zero knowledge interactive proof, and shows that a language outside BPP requires more than 3 rounds from any perfect ZK proof.

Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds

- Computer Science, MathematicsICALP
- 1989

This paper gives the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors of p−1, or more generally under the assumptions that one-way group homomorphisms exist).

Private coins versus public coins in interactive proof systems

- Computer ScienceSTOC '86
- 1986

The probabilistic, nondeterministic, polynomial time Turing machine is defined and shown to be equivalent in power to the interactive proof system and to BPP much as BPP is the Probabilistic analog to P.

Everything Provable is Provable in Zero-Knowledge

- Mathematics, Computer ScienceCRYPTO
- 1988

It is shown that every language that admits an interactive proof admits a (computational) zero-knowledge interactive proof.

On the cunning power of cheating verifiers: Some observations about zero knowledge proofs

- Computer Science, Mathematics28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
- 1987

It is shown that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of non-trivial auxiliary-input zero-knowledge proofs.

The complexity of perfect zero-knowledge

- Computer Science, MathematicsAdv. Comput. Res.
- 1989

It is shown that knowledge complexity can be used to show that a language is easy to prove and that there are not any perfect zero-knowledge protocols for NP-complete languages unless the polynomial time hierarchy collapses.

Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond

- Computer Science, Mathematics27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
- 1986

A perfect zero-knowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the…

Zero-Knowledge Simulation of Boolean Circuits

- Computer Science, MathematicsCRYPTO
- 1986

A zero-knowledge interactive proof is a protocol by which Alice can convince a polynomially-bounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed.…