Instance-Hiding Proof Systems
نویسندگان
چکیده
We de ne the notion of an instance-hiding proof system (ihps) for a function f ; informally, an ihps is a protocol in which a polynomial-time veri er interacts with one or more all-powerful provers and is convinced of the value of f(x) but does not reveal the input x to the provers. We show here that a function f has a multiprover ihps if and only if it is computable in FNEXP. We formalize the notion of zero-knowledge for ihps's and show that any function that has a multiprover ihps in fact has one that is perfect zero-knowledge. Under the assumption that one-way permutations exist, we show that f has a one-prover, zero-knowledge ihps if and only if it is in FPSPACE and has a one-oracle instance-hiding scheme (ihs).
منابع مشابه
Hiding Instances in Zero-Knowledge Proof Systems (Extended Abstract)
Informally speaking, an instance-hiding proof system for the function f is a protocol in which a polynomial-time veriier is convinced of the value of f(x) but does not reveal the input x to the provers. We show here that a boolean function f has an instance-hiding proof system if and only if it is the characteristic function of a language in NEXP \ coNEXP. We formalize the notion of zero-knowle...
متن کاملOn the Security of Classic Protocols for Unique Witness Relations
We revisit the problem of whether the known classic constantround public-coin argument/proof systems are witness hiding for languages/distributions with unique witnesses. Though strong black-box impossibility results are known, we provide some less unexpected positive results on the witness hiding security of these classic protocols: – We give sufficient conditions on a hard distribution over u...
متن کاملInstance-Dependent Commitment Schemes and the Round Complexity of Perfect Zero-Knowledge Proofs
We study the question whether the number of rounds in public-coin perfect zero-knowledge (PZK) proofs can be collapsed to a constant. Despite extensive research into the round complexity of interactive and zero-knowledge protocols, there is no indication how to address this question. Furthermore, the main tool to tackle this question is instance-dependent commitments, but currently such schemes...
متن کاملAn Equivalence Between Zero Knowledge and Commitments
We show that a language in NP has a zero-knowledge protocol if and only if the language has an “instance-dependent” commitment scheme. An instance-dependent commitment schemes for a given language is a commitment scheme that can depend on an instance of the language, and where the hiding and binding properties are required to hold only on the YES and NO instances of the language, respectively. ...
متن کاملOn Instance Compression, Schnorr/Guillou-Quisquater, and the Security of Classic Protocols for Unique Witness Relations
We revisit the problem of whether the witness hiding property of classic 3-round public-coin proof systems for languages/distributions with unique witnesses are still witness hiding. Though strong black-box impossibility results are known for them [Pas11, HRS09], we provide some less unexpected positive results on the witness hiding security of classic protocols: – We develop an embedding techn...
متن کامل