Cryptographic Capsules: A Disjunctive Primitive for Interactive Protocols

This paper describes a deceptively (almost embarrassingly) simple technique, that of cryptographic capsules, which allows Alice to convince Bob that either X or Y is true without giving Bob any information as to which is the case. Capsules are an instrumental part of the machinery used to compose ballots in the cryptographic election scheme of [CoFi85] (see also [Coh86], [Ben86], and [BeYu86]), but they have far broader applications. Use of capsules substantially implifies the “zero-knowledge” interactive proof system for quadratic nonresiduosity published in [GMR85]. Their use also provides a tremendous simplification of the “result-indistinguishable” interactive proof system published in [GHY85]. Capsules have been incorporated into the zero-knowledge protocol for interactively proving nonisomorphism of graphs described in [GMW86]. Finally, capsules are shown to provide a mechanism more efficient than that of [GMW86] by which Alice can convince Bob (in a zero-knowledge fashion) of the validity of any NP predicate. Despite their simplicity, it seems that the applications of capsules may go far beyond those mentioned here, and capsules have the potential to become a standard primitive construct for many kinds of interactive protocols.