Secret-chain Zero-Knowledge Proofs and Their Applications

In zero-knowledge proofs of knowledge, a single prover tries to convince a single verifier that he has possession of some knowledge s. The verifier accepts with probability 1 if the prover is honest (completeness), and rejects with high probability otherwise (soundness). In either case, the verifier learns nothing about s other than the bit of information as to whether or not the prover knows s (zero-knowledgeness). In [OkOh], Okamoto and Ohta introduce the notion of divertibility, a certain zero-knowledge proof of knowledge scenario in which the verifier is in turn able to disseminate the prover's proof of knowledge and even convince others that he knows some secret s when in reality, this information is known only to the prover. There are both positive and negative aspects to this scenario. The immediate complaint of this situation is that the verifier is know able to profess and claim knowledge of something he doesn't really know, and in applications like identification schemes, this is definitely undesirable. However, [OkOh] and [BuDeItSaSh] have ventured forth useful applications divertible proofs, namely for untraceability, blind signatures and subliminal-free transmissions. In this thesis, we generalize this idea of divertibility by introducing and exploring the secret-chain model, a proof system characterized by the existence of multiple provers, arranged in a linear fashion. In this manner, each prover is only allowed to interact with the provers who are his immediate neighbors. In addition, each prover knows some secret information that can be part of a larger "super-secret". If we replace the chain of provers with a single "super-prover", then this super-secret is knowledge this super-prover claims to know and can exhibit a proof of knowledge for. We define a model and formulate these ideas further assuming the existence of a commutative random self-reducible (CRSR) relation that is both one-way and non-trapdoor. Secret-chains appear useful for applications in which privacy protection and untraceability are desired. For example, consider an information broker/consultant who furnishes clients with information. He may assemble and collate information from his own personal resources and from one of many information banks or sources that are willing to exhibit a zero knowledge proof for information they know provided the price is right. Naturally, he wishes to keep his sources of information secret from his customers, and furthermore, he may not want his sources to know what he is doing with their information, so prefers that the identity of his clientele remains unknown to his sources. The use of secret-chains may be useful for situations in which the presence of an overseer is desired to monitor some party in the system, so that this party cannot function properly without the overseers consent. Furthermore, secret chains may not be limited to proofs of knowledge, but might have possible applications to proofs of computational power. In this thesis, we discuss several possible applications, and construct a blind signature scheme based on a secret-chain. Lastly, we exhibit a secret-chain zero-knowledge proof for Graph Isomorphism. Thesis Supervisor: Shafi Goldwasser Title: Professor of Computer Science and Engineering