Parallel divertibility of proofs of knowledge.

An interactive proof is transferred if a person, while interacting with the prover, convinces a (second) verifier of the statement. Divertible proof systems, first introduced by Desmedt et al., offer a more subtle way of transferring a proof: the messages are blinded such that neither the prover nor the second verifier can ever discover what is going on. While the ability to transfer (and divert) interactive proofs is useful in many situations it also has the disadvantage that the prover has less control over the use of the proofs. This paper investigates (and limits) the possibilities of transferring and diverting certain interactive proofs. In particular it is shown that zero-knowledge proof systems based on a polynomial number of sequential iterations of a three-move protocol cannot be transferred (and hence diverted) to two independent third parties even with just a very small (polynomial fraction) probability of success unless the proof is insecure for the prover. Furthermore, if the three move protocol in itself constitutes a witness hiding proof of knowledge it is shown that it cannot be diverted to two independent third parties simultaneously with overwhelming probability. This result rules out one possible attack on the blind signature scheme suggested by Ohta and Okamoto. [ABSTRACT FROM AUTHOR]