|
Abstract : |
Note: The last sentence on page 3 is not entirely accurate, in that only the number of multiplications decreases by a factor of j; the number of squarings is unaffected. Abstract. Consider a polynomial-time prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1, |
