WI and Proof of knowledge
This commit is contained in:
parent
b57293c56f
commit
0db1043246
27
chap-ZK.tex
27
chap-ZK.tex
|
|
@ -37,6 +37,31 @@ In this section, we first present the general principles and basic tools to hand
|
|||
If the two ensembles in the definition of \textit{zero-knowledge} are the same, then the proof is \textit{perfect zero-knowledge}.
|
||||
\end{definition}
|
||||
|
||||
\begin{definition}[Proof of knowledge \cite{GMR85,BG92}]
|
||||
\index{Zero Knowledge!Proof of knowledge}
|
||||
Let $\kappa$ be a function from $\bit^\star$ to $[0,1]$. A complete interactive proof system $(P,V)$ is said to be a \textit{proof of knowledge} for the relation $R$ with knowledge error $\kappa$ if it verifies the knowledge soundness property.
|
||||
\begin{description}
|
||||
\item[Knowledge soundness.] There exists a $\ppt$ algorithm $\mathcal E$, called the knowledge extractor. This algorithm takes as input $x$ and rewindable black-box access to the prover, and targets to compute a $w$ such that $(x,w) \in R$.
|
||||
For any prover $\hat{P}$, let $\varepsilon(x)$ be the probability that $V$ accepts on input $x$.
|
||||
There exists a constant $c$ such that, whenever $\varepsilon(x) > \kappa(x)$, $M$ will output a correct $w$ with expected time at most $\frac{|x|^c}{\varepsilon(x) - \kappa(x)},$ where access to $\hat{P}$ counts as one step.
|
||||
\end{description}
|
||||
\end{definition}
|
||||
|
||||
This extractor represents the fact that an effective prover actually knows the secret (while a zero-knowledge proof only attests the existence of a witness $w$).
|
||||
In the following, $\ZKAoK$ denotes \textit{Zero-Knowledge Argument of Knowledge}.
|
||||
|
||||
Another useful property that a proof system can have in the context of privacy-preserving cryptography is witness indistinguishability (\textsf{WI}).
|
||||
This property states that if a proof system has multiple witnesses, it is impossible to tell apart which one has been used during the proof.
|
||||
|
||||
\begin{definition}[Witness indistinguishable proofs~\cite{FS90}]
|
||||
Let $(P,V)$ be a complete interactive proof system for relation $R$. It is said to be \textit{witness indistinguishable} if, for every $\ppt$ algorithm $\hat{V}$ and every two sequences $\{w_x\}_{(x, w_x) \in R}$, $\{w'_x\}_{(x,w'_x) \in R}$, the following ensembles are computationally indistinguishable:
|
||||
\begin{align*}
|
||||
\{ \trans(P(x, w_x), \hat{V}(x) \}_x && \mbox{and} && \{ \trans( P(x, w'_x), \hat{V}(x) \}_x.
|
||||
\end{align*}
|
||||
\end{definition}
|
||||
|
||||
The \textsf{WI} property is implied by the zero-knowledge property. Whereas the latter, \textit{witness indistinguishability} is preserved through parallel repetitions of the protocol~\cite{FS90}.
|
||||
|
||||
\subsection{$\Sigma$-protocols}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$}
|
||||
\label{sse:sigma-protocols}
|
||||
|
|
@ -311,7 +336,7 @@ For efficiency reasons, Schnorr's protocol is used along with Fiat-Shamir heuris
|
|||
This methodology has also been adapted to the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
|
||||
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
|
||||
The part between brackets is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
|
||||
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90} (recall that, unlike the zero-knowledge property, witness indistinguishability is preserved under parallel repetitions).
|
||||
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.% (recall that, unlike the zero-knowledge property, witness indistinguishability is preserved under parallel repetitions).
|
||||
|
||||
\begin{figure}
|
||||
\textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$.
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@
|
|||
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
|
||||
$\NIZK$ & Non-Interactive Zero-Knowledge \\
|
||||
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
|
||||
$\textsf{WI}$ & Witness indistinguishable \\
|
||||
$\OT$ & Oblivious Transfer \\
|
||||
[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\
|
||||
$\advantage{\mathrm{E}}{\adv}$ & Advantage of adversary $\adv$ for experiment $\mathrm{E}$ \\
|
||||
|
|
|
|||
Loading…
Reference in New Issue