Abstract
The notion of a "proof of knowledge", suggested by Goldwasser, Micali and
Rackoff, has been used in many works as a tool for the construction of
cryptographic protocols and other schemes. Yet the commonly cited formalizations
of this notion are unsatisfactory and in particular inadequate for some of the
applications in which they are used. Consequently, new researchers keep getting
misled by existing literature. The purpose of this paper is to indicate the
source of these problems and suggest a definition which resolves them.