WI and Proof of knowledge
This commit is contained in:
parent
b57293c56f
commit
0db1043246
27
chapZK.tex
27
chapZK.tex

@ 37,6 +37,31 @@ In this section, we first present the general principles and basic tools to hand


If the two ensembles in the definition of \textit{zeroknowledge} are the same, then the proof is \textit{perfect zeroknowledge}.


\end{definition}




\begin{definition}[Proof of knowledge \cite{GMR85,BG92}]


\index{Zero Knowledge!Proof of knowledge}


Let $\kappa$ be a function from $\bit^\star$ to $[0,1]$. A complete interactive proof system $(P,V)$ is said to be a \textit{proof of knowledge} for the relation $R$ with knowledge error $\kappa$ if it verifies the knowledge soundness property.


\begin{description}


\item[Knowledge soundness.] There exists a $\ppt$ algorithm $\mathcal E$, called the knowledge extractor. This algorithm takes as input $x$ and rewindable blackbox access to the prover, and targets to compute a $w$ such that $(x,w) \in R$.


For any prover $\hat{P}$, let $\varepsilon(x)$ be the probability that $V$ accepts on input $x$.


There exists a constant $c$ such that, whenever $\varepsilon(x) > \kappa(x)$, $M$ will output a correct $w$ with expected time at most $\frac{x^c}{\varepsilon(x)  \kappa(x)},$ where access to $\hat{P}$ counts as one step.


\end{description}


\end{definition}




This extractor represents the fact that an effective prover actually knows the secret (while a zeroknowledge proof only attests the existence of a witness $w$).


In the following, $\ZKAoK$ denotes \textit{ZeroKnowledge Argument of Knowledge}.




Another useful property that a proof system can have in the context of privacypreserving cryptography is witness indistinguishability (\textsf{WI}).


This property states that if a proof system has multiple witnesses, it is impossible to tell apart which one has been used during the proof.




\begin{definition}[Witness indistinguishable proofs~\cite{FS90}]


Let $(P,V)$ be a complete interactive proof system for relation $R$. It is said to be \textit{witness indistinguishable} if, for every $\ppt$ algorithm $\hat{V}$ and every two sequences $\{w_x\}_{(x, w_x) \in R}$, $\{w'_x\}_{(x,w'_x) \in R}$, the following ensembles are computationally indistinguishable:


\begin{align*}


\{ \trans(P(x, w_x), \hat{V}(x) \}_x && \mbox{and} && \{ \trans( P(x, w'_x), \hat{V}(x) \}_x.


\end{align*}


\end{definition}




The \textsf{WI} property is implied by the zeroknowledge property. Whereas the latter, \textit{witness indistinguishability} is preserved through parallel repetitions of the protocol~\cite{FS90}.




\subsection{$\Sigma$protocols}


\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$}


\label{sse:sigmaprotocols}



@ 311,7 +336,7 @@ For efficiency reasons, Schnorr's protocol is used along with FiatShamir heuris


This methodology has also been adapted to the ideal latticesetting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorrlwe}.


In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.


The part between brackets is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.


This part induced a noticeable errorrate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90} (recall that, unlike the zeroknowledge property, witness indistinguishability is preserved under parallel repetitions).


This part induced a noticeable errorrate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.% (recall that, unlike the zeroknowledge property, witness indistinguishability is preserved under parallel repetitions).




\begin{figure}


\textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$.





@ 31,6 +31,7 @@


$\ZKAoK$ & ZeroKnowledge Argument of Knowledge \\


$\NIZK$ & NonInteractive ZeroKnowledge \\


$\QANIZK$ & QuasiAdaptive NonInteractive ZeroKnowledge \\


$\textsf{WI}$ & Witness indistinguishable \\


$\OT$ & Oblivious Transfer \\


[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\


$\advantage{\mathrm{E}}{\adv}$ & Advantage of adversary $\adv$ for experiment $\mathrm{E}$ \\




Loading…
Reference in New Issue