Witness indistinguishable and witness hiding protocols

@inproceedings{Feige1990WitnessIA,
  title={Witness indistinguishable and witness hiding protocols},
  author={Uriel Feige and Adi Shamir},
  booktitle={STOC '90},
  year={1990}
}
A two par ty protocol in which par ty A uses one of several secret witnesses to an NP assertion is witness indistinguishable if par ty B cannot tell which witness A is actually using. The protocol is witness hiding if by the end of the protocol B cannot compute any new witness which he did not know before the protocol began. Witness hiding is a natural security requirement, and can replace zero knowledge in many cryptographic protocols. We prove two central results: 1. Unlike zero knowledge… 
On the Security of Classic Protocols for Unique Witness Relations
TLDR
It is given sufficient conditions on a hard distribution over unique witness NP relation for which all witness indistinguishable protocols (including all public-coin ones, such as ZAPs, Blum protocol and GMW protocol) are indeed witness hiding, and a wide range of cryptographic problems with unique witnesses satisfy these conditions, and thus admit constant-round public-coins witness hiding proof system.
Towards Non-Interactive Witness Hiding
TLDR
This work provides compelling evidence that witness hiding proofs are achievable non-interactively for wide classes of languages, and uses non-uniform witness indistinguishable proofs as the basis for all of the protocols.
Witness Hiding Proofs and Applications
TLDR
It is proved, in this thesis, that with limited computational power, it is impossible to divert a witness hiding protocol parallelly to two independent verifiers with large probability.
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
TLDR
This work shows how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S.
Witness Maps and Applications
TLDR
A Dual Mode Witness Map (DMWM) is defined which adds an “extractable” mode to a CWM, a relaxation of UWM which maps all the witnesses to a small number of witnesses, resulting in a “lossy” deterministic-prover, non-interactive proof-system.
Proofs of Ignorance and Applications to 2-Message Witness Hiding
TLDR
The notion of Proofs of Ignorance is defined, constructed and used to construct a 2-message witness hiding protocol for all of NP, and a new non-black-box technique is developed.
Zero-Knowledge Proofs with Witness Elimination
TLDR
A general construction based on smooth projective hashing that is suitable for designing efficient schemes for proving knowledge of a Boneh-Boyen signature with witness elimination is provided and along the way it is demonstrated how zero-knowledge proofs with Witness elimination naturally relate to the primitives of password-based key exchange and private equality testing.
Witness-Indistinguishable Arguments with Σ-Protocols for Bundled Witness Spaces and its Application to Global Identities
TLDR
A protocol enables a prover to convince a verifier that the prover knows a bundle of witnesses that have a common component which the authors call a base witness point, which is an and-composition of \(\varSigma \)-protocols on the statements that include a common commitment.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
TLDR
This paper identifies languages and distributions for which many known constant-round public-coin protocols with negligible soundness cannot be shown to be witness-hiding using black-box techniques and shows that "natural reductions" cannot bypass the limitations above.
Witness Hiding Without Extractors or Simulators
TLDR
A new look at witness hiding is proposed based on the information conveyed in each particular instance of the protocol, which aims to convince the verifier that he knows a witness to an instance of an \(\mathbf{NP}\) problem without revealing the witness.
...
...

References

SHOWING 1-10 OF 26 REFERENCES
Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds
TLDR
This paper gives the first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds (under the assumption that it is infeasible to compute discrete logarithms modulo p even for someone who knows the factors of p−1, or more generally under the assumptions that one-way group homomorphisms exist).
Minimum Disclosure Proofs of Knowledge
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
TLDR
This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.
Non-Interactive Zero-Knowledge Proof Systems
TLDR
The result is strengthened by showing that Non-Interactive Zero-Knowledge Proof Systems exist based on the weaker and well-known assumption that quadratic residuosity is hard.
New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs
TLDR
Noninteractive zero knowledge proofs in a network which have the property that anyone in the network can individually check correctness while the proof is zero knowledge to any sufficiently small coalition are shown.
On Generating Solved Instances of Computational Problems
TLDR
This work considers the efficient generation of solved instances of computational problems and considers invulnerable generators, which are defined as programs that produce instance-witness pairs according to a distribution under which any polynomial-time adversary fails to find a witness that x ∈ S.
Zero Knowledge Proofs of Knowledge in Two Rounds
TLDR
These protocols rely on two novel ideas: One for constructing commitment schemes, the other for constructing subprotocols which are not known to be zero knowledge, yet can be proven not to reveal useful information.
Random self-reducibility and zero knowledge interactive proofs of possession of information
  • M. Tompa, H. Woll
  • Mathematics, Computer Science
    28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
  • 1987
TLDR
It is shown that any "random self-reducible" problem has a zero knowledge interactive proof of this sort, and new zeroknowledge interactive proofs are exhibited for "knowledge" of the factorization of an integer, nonmembership in cyclic subgroups of Zp*, and determining whether an element generates Zp*.
A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
TLDR
A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.
Bit Commitment Using Pseudo-Randomness
  • M. Naor
  • Computer Science, Mathematics
    CRYPTO
  • 1989
We show how a pseudo-random generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the
...
...