The knowledge complexity of interactive proof-systems
STOC '85 Proceedings of the seventeenth annual ACM symposium on Theory of computing
Reductions among number theoretic problems
Information and Computation
Zero knowledge proofs of identity
STOC '87 Proceedings of the nineteenth annual ACM symposium on Theory of computing
Demonstrating that a public predicate can be satisfied without revealing any information about how
Proceedings on Advances in cryptology---CRYPTO '86
DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION
DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION
| Hi-index | 0.00 |
Suppose an associate handed you a 500 digit number N, and informed you, "I know the prime factorization of N." What would convince you of the truth of your associate's statement? If your associate could be persuaded to reveal the factorization to you, a few simple tests would convince you of the statement's truth. Unfortunately the associate responds to this request by saying, "The factorization is a secret. In fact, I would like to convince you that I know the factorization of N without divulging any other useful information." How can you hope to be convinced that your associate is not deceiving you? Needless to say, a primality testing algorithm quickly reveals N to be composite, but your favorite factorization algorithms make no progress whatever. These seemingly irreconcilable positions (the associate's unwillingness to reveal any knowledge, your unwillingness to accept your associate's statement without proof) are reconcilable through a protocol known as a "zero knowledge interactive proof", introduced by Goldwasser, Micali, and Rackoff [15] in 1985. Informally, an interactive proof is a pair of protocols executed by two parties, called the "prover" and the "verifier", whereby the prover attempts to convince the verifier of the validity of some proposition II. The prover, even by deviating from its protocol, should not be able to convince the verifier of the truth of II if, in fact, II is false. An interactive proof is "zero knowledge" if the verifier, even by deviating from its protocol, cannot gain any information from the prover (other than the validity of II) that it could not have derived efficiently itself. More specifically, for any verifier that outputs after interacting with the prover, there is an algorithm that, without benefit of interacting with the prover, produces outputs from a distribution indistinguishable from that of the verifier. The interested reader can find careful definitions of these notions in [20]. The particular problem of knowledge of factorization will be left on the hook until the last section. The intervening sections contain some interesting historical digressions.