Witness indistinguishable and witness hiding protocols

  title={Witness indistinguishable and witness hiding protocols},
  author={Uriel Feige and Adi Shamir},
  booktitle={STOC '90},
A two par ty protocol in which par ty A uses one of several secret witnesses to an NP assertion is witness indistinguishable if par ty B cannot tell which witness A is actually using. The protocol is witness hiding if by the end of the protocol B cannot compute any new witness which he did not know before the protocol began. Witness hiding is a natural security requirement, and can replace zero knowledge in many cryptographic protocols. We prove two central results: 1. Unlike zero knowledge… 
On the Security of Classic Protocols for Unique Witness Relations
It is given sufficient conditions on a hard distribution over unique witness NP relation for which all witness indistinguishable protocols (including all public-coin ones, such as ZAPs, Blum protocol and GMW protocol) are indeed witness hiding, and a wide range of cryptographic problems with unique witnesses satisfy these conditions, and thus admit constant-round public-coins witness hiding proof system.
Towards Non-Interactive Witness Hiding
This work provides compelling evidence that witness hiding proofs are achievable non-interactively for wide classes of languages, and uses non-uniform witness indistinguishable proofs as the basis for all of the protocols.
Witness Hiding Proofs and Applications
It is proved, in this thesis, that with limited computational power, it is impossible to divert a witness hiding protocol parallelly to two independent verifiers with large probability.
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
This work shows how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S.
Witness Maps and Applications
A Dual Mode Witness Map (DMWM) is defined which adds an “extractable” mode to a CWM, a relaxation of UWM which maps all the witnesses to a small number of witnesses, resulting in a “lossy” deterministic-prover, non-interactive proof-system.
Proofs of Ignorance and Applications to 2-Message Witness Hiding
The notion of Proofs of Ignorance is defined, constructed and used to construct a 2-message witness hiding protocol for all of NP, and a new non-black-box technique is developed.
Zero-Knowledge Proofs with Witness Elimination
A general construction based on smooth projective hashing that is suitable for designing efficient schemes for proving knowledge of a Boneh-Boyen signature with witness elimination is provided and along the way it is demonstrated how zero-knowledge proofs with Witness elimination naturally relate to the primitives of password-based key exchange and private equality testing.
Witness-Indistinguishable Arguments with Σ-Protocols for Bundled Witness Spaces and its Application to Global Identities
A protocol enables a prover to convince a verifier that the prover knows a bundle of witnesses that have a common component which the authors call a base witness point, which is an and-composition of \(\varSigma \)-protocols on the statements that include a common commitment.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
This paper identifies languages and distributions for which many known constant-round public-coin protocols with negligible soundness cannot be shown to be witness-hiding using black-box techniques and shows that "natural reductions" cannot bypass the limitations above.
Witness Hiding Without Extractors or Simulators
A new look at witness hiding is proposed based on the information conveyed in each particular instance of the protocol, which aims to convince the verifier that he knows a witness to an instance of an \(\mathbf{NP}\) problem without revealing the witness.


Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds
This paper gives the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors of p−1, or more generally under the assumptions that one-way group homomorphisms exist).
Minimum Disclosure Proofs of Knowledge
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.
Non-Interactive Zero-Knowledge Proof Systems
The result is strengthened by showing that Non-Interactive Zero-Knowledge Proof Systems exist based on the weaker and well-known assumption that quadratic residuosity is hard.
New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs
Noninteractive zero knowledge proofs in a network which have the property that anyone in the network can individually check correctness while the proof is zero knowledge to any sufficiently small coalition are shown.
On Generating Solved Instances of Computational Problems
This work considers the efficient generation of solved instances of computational problems and considers invulnerable generators, which are defined as programs that produce instance-witness pairs according to a distribution under which any polynomial-time adversary fails to find a witness that x ∈ S.
Zero Knowledge Proofs of Knowledge in Two Rounds
These protocols rely on two novel ideas: One for constructing commitment schemes, the other for constructing subprotocols which are not known to be zero knowledge, yet can be proven not to reveal useful information.
Random self-reducibility and zero knowledge interactive proofs of possession of information
  • M. Tompa, H. Woll
  • Mathematics, Computer Science
    28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
  • 1987
It is shown that any "random self-reducible" problem has a zero knowledge interactive proof of this sort, and new zeroknowledge interactive proofs are exhibited for "knowledge" of the factorization of an integer, nonmembership in cyclic subgroups of Zp*, and determining whether an element generates Zp*.
A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.
Bit Commitment Using Pseudo-Randomness
  • M. Naor
  • Computer Science, Mathematics
  • 1989
We show how a pseudo-random generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the