Hard-Core Bits for Proofs of Knowledge

For various well-known proofs of knowledge, we address the problem of how much information a cheating polynomial-time veriier can learn about individual bits of the prover's secret key. Speciically, under the widely believed assumption that the Schnorr identiication protocol is witness hiding, no polynomial-time veriier can distinguish the O(log k) most signiicant bits of the prover's secret key from equally many ips of an unbiased coin, where k is the security parameter that determines the key length. For a minor variation of Schnorr's protocol, not only the O(log k) most signiicant bits are hidden but also O(log k) bits that are close to the least signiicant bits. Similarly, the O(log k) least signiicant bits of the secret key of the prover in the Guillou-Quisquater identiication protocol are unapproximable. All our results hold in the strongest conceivable attack scenario, in that veriiers may engage in arbitrarily many protocol executions and choose new challenges in an adaptive fashion based on information learned in previous protocol executions.