We show how a polynomial-time prover can commit to an arbitrary finite set Ë of strings so that, later on, he can, for any string Ü, reveal with a proof whether Ü ¾ Ë or Ü ¾ Ë, without revealing any knowledge beyond the verity of these membership assertions. Our method is non interactive. Given a public random string, the prover commits to a set by simply posting a short and easily computable message. After that, each time it wants to prove whether a given element is in the set, it simply posts another short and easily computable proof, whose correctness can be verified by any one against the public random string. Our scheme is very efficient; no reasonable prior way to achieve our desiderata existed. Our new primitive immediately extends to providing zero-knowledge “databases.”
Silvio Micali, Michael O. Rabin, Joe Kilian