Zero-Knowledge Proof Systems

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Chapter

ZeroKnowledge Pro of Systems

In this chapter we discuss zeroknowledge pro of systems Lo osely sp eaking such pro of

systems have the remarkable prop erty of b eing convincing and yielding nothing b eyond

the validity of the assertion The main result presented is a metho d to generate zero

knowledge pro of systems for every language in NP This metho d can b e implemented using

any bit commitmentscheme which in turn can b e implemented using any pseudorandom

generator In addition we discuss more rened asp ects of the concept of zeroknowledge

and their aect on the applicabili ty of this concept

ZeroKnowledge Pro ofs Motivation

An archetypical cryptographic problem consists of providing mutually distrustful parties

with a means of exchanging predetermined pieces of information The setting consists

of several parties each wishing to obtain some predetermined partial information concerning

the secrets of the other parties Yet eachparty wishes to reveal as little information as

p ossible ab out its own secret To clarify the issue let us consider a sp ecic example

Supp ose that all users in a system keep backups of their entire le system

encrypted using their publickey encryption in a publicly accessible storage

media Supp ose that at some p oint one user called Alice wishes to reveal to

another user called Bob the cleartext of one of her les which app ears in one of

her backups A trivial solution is for Alice just to send the cleartext le to

Bob The problem with this solution is that Bob has no wayofverifying that

Alice really sent him a le from her public backup rather than just sending

him an arbitrary le Alice can simply prove that she sends the correct le by

revealing to Bob her private encryption keyHowever doing so will reveal to

Bob the contents of all her les which is certainly something that Alice do es

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

not want to happ en The question is whether Alice can convince Bob that she

indeed revealed the correct le without yielding any additional knowledge

An analogous question can b e phrased formally as follows Let f b e a oneway

permutationand b a hardcore predicate with resp ect to f Supp ose that one

party A has a string x whereas another party denoted B onlyhasf x

Furthermore supp ose that A wishes to reveal bxtoparty B without yielding

any further information The trivial solution is to let A send bxtoB but

as explained ab ove B will havenowayofverifying whether A has really sent

the correct bit and not its complement Party A can indeed prove that it sends

the correct bit ie bx by sending x as well but revealing x to B is much

more than what A had originally in mind Again the question is whether A can

convince B that it indeed revealed the correct bit ie bx without yielding

any additional knowledge

In general the question is whether it is possible to prove a statement without yielding

anything beyond its validity Such pro ofs whenever they exist are called zeroknow ledge

and play a central role as we shall see in the subsequentchapter in the construction of

cryptographic proto cols

Lo osely sp eaking zeroknow ledge proofs areproofs that yield nothing ie no knowl

edge beyond the validity of the assertion In the rest of this intro ductory section we

discuss the notion of a pro of and a p ossible meaning of the phrase yield nothing ie

no knowledge b eyond something

The Notion of a Pro of

We discuss the notion of a pro of with the intention of uncovering some of its underlying

asp ects

A Pro of as a xed sequence or as an interactiveprocess

Traditionally in mathematics a pro of is a xed sequence consisting of statements which

are either selfevident or are derived from previous statements via selfevident rules Actu

ally it is more accurate to substitute the phrase selfevident by the phrase commonly

agreed In fact in the formal study of pro ofs ie logic the commonly agreed statements

are called axioms whereas the commonly agreed rules are referred to as derivation rules

We wish to stress two prop erties of mathematics pro ofs

pro ofs are viewed as xed ob jects

pro ofs are considered at least as fundamental as their consequence ie the theorem

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS MOTIVATION

However in other areas of human activity the notion of a pro of has a much wider

interpretation In particular a pro of is not a xed ob ject but rather a pro cess by which

the validity of an assertion is established For example the crossexamination of a witness

in court is considered a pro of in law and failure to answer a rivals claim is considered a

pro of in philosophical p olitical and sometimes even technical discussions In addition in

reallife situations pro ofs are considered secondary in imp ortance to their consequence

To summarize in canonical mathematics pro ofs have a static nature eg they are

written whereas in reallife situations pro ofs have a dynamic nature ie they are es

tablished via an interaction The dynamic interpretation of the notion of a pro of is more

adequate to our setting in which pro ofs are used as to ols ie subproto cols inside cryp

tographic proto cols Furthermore the dynamic interpretation at least in a weak sense is

essential to the nontriviality of the notion of a zeroknowledge pro of

Prover and Verier

The notion of a prover is implicit in all discussions of pro ofs b e it in mathematics or in

reallife situations Instead the emphasis is placed on the verication process or in other

words on the role of the verier Both in mathematics and in reallife situations pro ofs

are dened in terms of the verication pro cedure Typically the verication pro cedure is

considered to b e relatively simple and the burden is placed on the partyp erson supplying

the pro of ie the prover

The asymmetry b etween the complexity of the verication and the theoremproving

tasks is captured by the complexity class NP which can b e viewed as a class of pro of

systems Each language L NP has an ecientverication pro cedure for pro ofs of state

ments of the form x L Recall that each L NP is characterized by a p olynomialtime

recognizable relation R so that

L fx y st x y R g

and x y R only if jy j p oly jxj Hence the verication pro cedure for memb ership

claims of the form x L consists of applying the p olynomialtime algorithm for rec

ognizing R to the claim enco ded by x and a prosp ective pro of denoted y Hence any

y satisfying x y R is considered a proof of memb ership of x L Hence correct

statements ie x L and only them have pro ofs in this pro of system Note that the ver

ication pro cedure is easy ie p olynomialtime whereas coming up with pro ofs may

b e dicult

It is worthwhile to stress the distrustful attitude towards the prover in any pro of system

If the verier trusts the prover then no pro of is needed Hence whenever discussing a pro of

system one considers a setting in which the verier is not trusting the prover and furthermore

is skeptic of anything the prover says

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Completeness and Validity

Two fundamental prop erties of a pro of system ie a verication pro cedure are its validity

and completeness The validity prop erty asserts that the verication pro cedure cannot b e

tricked into accepting false statements In other words validity captures the verier

ability of protecting itself from b eing convinced of false statements no matter what the

prover do es in order to fo ol it On the other hand completeness captures the abilityof

some prover to convince the verier of true statements b elonging to some predetermined

set of true statements Note that b oth prop erties are essential to the very notion of a pro of

system

We remark here that not every set of true statements has a reasonable pro of system

in which each of these statements can b e proven while no false statement can b e proven

This fundamental fact is given a precise meaning in results suchasGodels Incompleteness

Theorem and Turings pro of of the unsolvability of the Halting Problem We stress that in

this chapter we conne ourself to the class of sets that do have ecient pro of systems

In fact Section is devoted to discussing and formulating the concept of ecient pro of

systems Jumping ahead we hint that the eciency of a pro of system will b e asso ciated

with the eciency of its verication pro cedure

Gaining Knowledge

Recall that wehavemotivated zeroknowledge pro ofs as pro ofs by which the verier gains

no knowledge b eyond the validity of the assertion The reader mayrightfully wonder

what is knowledge and what is a gain of knowledge When discussing zeroknowledge pro ofs

weavoid the rst question which is quite complex and treat the second question directly

Namely without presenting a denition of knowledge we present a generic case in whichit

is certainly justied to say that no knowledge is gained Fortunately this conservative

approach seems to suce as far as cryptography is concerned

Tomotivate the denition of zeroknowledge consider a conversation b etween two par

ties Alice and Bob Assume rst that this conversation is unidirectional sp ecically Alice

only talks and Bob only listens Clearlywecansay that Alice gains no knowledge from

the conversation On the other hand Bob mayormay not gain knowledge from the con

versation dep ending on what Alice says For example if all that Alice says is

then clearly Bob gains no knowledge from the conversation since he knows this fact himself

If on the other hand Alice tells Bob a pro of of Fermats Theorem then certainly he gained

knowledge from the conversation

To give a b etter avour of the denition wenow consider a conversation b etween Alice

and Bob in which Bob asks Alice questions ab out a large graph that is known to b oth of

them Consider rst the case in which Bob asks Alice whether the graph is Eulerian or

not Clearlywesay that Bob gains no knowledge from Alices answer since he could have

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS MOTIVATION

determined the answer easily by himself eg by using Eulers Theorem whichassertsthat

a graph is Eulerian if and only if all its vertices haveeven degree On the other hand if

Bob asks Alice whether the graph is Hamiltonian or not and Alice somehow answers

this question then we cannot say that Bob gained no knowledge since wedonotknowof

an ecient pro cedure bywhich Bob can determine the answer by himself and assuming

P NP no such ecient pro cedure exists Hence wesay that Bob gained know ledge

from the interaction if his computational ability concerning the publicly known graph has

increased ie if after the interaction he can easily compute something that he could not

have eciently computed b efore the interaction On the other hand if whatever Bob can

eciently compute ab out the graph after interacting with Alice he can also eciently

compute by himself from the graph then wesay that Bob gained no know ledge from the

interaction Hence Bob gains knowledge only if he receives the result of a computation which

is infeasible for Bob The question of how could Alice conduct this infeasible computation

eg answer Bobs question of whether the graph is Hamiltonian has b een ignored so far

Jumping ahead we remark that Alice may b e a mere abstraction or may b e in p ossession

of additional hints that enables to eciently conduct computations that are otherwise

infeasible and in particular are infeasible for Bob who do es not have these hints Yet

these hints are not necessarily information in the information theoretic sense as they may

b e determined by the common input but not eciently computed from it

Knowledge vs information

We wish to stress that know ledge as discussed ab ove is very dierentfrominformation in

the sense of information theory

Know ledge is related to computational diculty whereas information is not In the

ab ove examples there was a dierentbetween the knowledge revealed in case Alice

answers questions of the form is the graph Eulerian and the case she answers ques

tions of the form is the graph Hamilton From an information theoretic p oint of view

there is no dierence b etween the two cases ie in b oth Bob gets no information

Know ledge relates mainly to publicly known ob jects whereas information relates

mainly to ob jects on which only partial information is publicly known Consider the

case in which Alice answers each question by ipping an unbiased coin and telling

Bob the outcome From an information theoretic p oint of view Bob gets from Alice

information concerning an event However wesay that Bob gains no knowledge from

Alice since he can toss coins by himself

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Interactive Pro of Systems

In this section weintro duce the notion of an interactive pro of system and present a non

trivial example of such a system sp ecically to claims of the form the following two

graphs are not isomorphic The presentation is directed towards the intro duction of zero

knowledge interactive pro ofs Interactive pro of systems are interesting for their own sake

and have imp ortant complexity theoretic applications that are discussed in Chapter

Denition

The denition of an interactive pro of system refers explicitly to the two computational tasks

related to a pro of system pro ducing a pro of and verifying the validity of a pro of These

tasks are p erformed bytwodierent parties called the prover and the verier whichinteract

with one another The interaction maybevery simple and in particular unidirectional ie

the prover sends a text called the pro of to the verier In general the interaction maybe

more complex and may take the form of the verier interrogating the prover

Interaction

Interaction b etween two parties is dened in the natural manner The only p ointworth

noting is that the interaction is parameterized by a common input given to b oth parties

In the context of interactive pro of systems the common input represents the statement

to b e proven We rst dene the notion of an interactivemachine and next the notion

of interaction b etween twosuchmachines The reader may skip to the next part of this

subsection titled Conventions regarding interactivemachines with little loss if at all

Denition an interactive machine

An interactive Turing machine ITM is a deterministic multitapeTuring machine

The tapes consists of a readonly inputtap eareadonly randomtap eareadand

write worktap e a writeonly outputtap eapair of communicationtap es and a

readandwrite switchtap e consisting of a single cel l initiatedtocontents One

communicationtapeisreadonly and the other is writeonly

Each ITM is associated a single bit f gcal ledits identityAn ITM is said

to be activeinaconguration if the contents of its switchtapeequals the machines

identity Otherwise the machine is said to be idle While being id le the state of

the machine the location of its heads on the various tapes and the contents of the

writeable tapes of the ITM is not modied

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

INTERACTIVE PROOF SYSTEMS

The contents of the inputtapeiscal led inputthecontents of the randomtapeiscal led

randominput and the contents of the outputtape at termination is cal led output

The contents written on the writeonly communicationtape during a time period

in which the machine is active is cal ledthe message sent at this period Likewise

the contents read from the readonly communicationtapeduringanactiveperiodis

cal ledthe message received at that period Without loss of generality the machine

movements on both communicationtapes are only in one direction say left to right

The ab ove denition taken by itself seems quite nonintuitive In particular one may

say that once b eing idle the machine never b ecomes active again One may also wonder

what is the p oint of distinguishing the readonly communicationtap e from the inputtap e

and resp ectively distinguishing the writeonly communicationtap e from the outputtap e

The p oint is that we are never going to consider a single interactivemachine but rather a

pair of machines combined together so that some of their tap es coincide Intuitivelythe

messages sentbyaninteractive machine are received by a second machine which shares its

communicationtap es so that the readonly communicationtap e of one machine coincides

with the writeonly tap e of the other machine The activemachine may b ecome idle by

changing the contents of the shared switchtap e and by doing so the other machine having

opp osite identity b ecomes active The computation of such a pair of machines consists of

the machines alternatingly sending messages to one another based on their initial common

input their distinct randominputs and the messages eachmachine has received so far

Denition joint computation of two ITMs

Two interactive machines aresaidtobe linked if they have opposite identities their

inputtapes coincide their switchtapes coincide and the readonly communication

tape of one machine coincides with the writeonly communicationtape of the other

machine and viceversaWestress that the other tapes of both machines ie the

randomtape the worktape and the outputtape are distinct

The joint computation of a linkedpair of ITMs on a common input xisasequence

of pairs Each pair consists of the local conguration of each of the machines In each

such pair of local congurations one machine not necessarily the same one is active

while the other machine is id le

If one machine halts while the switchtape stil l holds its identity the we say that both

machines have halted

At this p oint the reader may ob ject to the ab ove denition saying that the individual

machines are deprived of individual lo cal inputs and observing that they are given indi

vidual and unshared randomtap es This restriction is removed in Subsection and in

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

fact removing it is quite imp ortant at least as far as practical purp oses are concerned Yet

for a rst presentation of interactive pro ofs as well as for demonstrating the p ower of this

concept we prefer the ab ove simpler denition The convention of individual randomtap es

is however essential to the p ower of interactive pro ofs see Exercise

Conventions regarding interactivemachines

Typicallywe consider executions when the contents of the randomtap e of eachmachine is

uniformly and indep endently chosen among all innite bit sequences The convention of

having an innite sequence of internal coin tosses should not b other the reader since during

a nite computation only a nite prex is read and matters The contents of each of these

randomtap es can b e viewed as internal coin tosses of the corresp onding machine as in the

denition of ordinary probabilistic machines presented in Chapter Hence interactive

machines are in fact probabilistic

Notation Let A and B b e a linked pair of ITMs and supp ose that all p ossible interactions

of A and B on each common input terminate in a nite numb er of steps We denote by

hA B ix the random variable representing the lo cal output of B when interacting with

machine A on common input x when the randominput to eachmachine is uniformly and

indep endently chosen

Another imp ortant convention is to consider the timecomplexityofaninteractivema

chine as a function of its input only

Denition the complexityofaninteractivemachine We say that an interactive

machine A has time complexity t NI NI if for every interactive machine B and every

string x it holds that when interacting with machine B oncommon input x machine A

always ie regard less of the contents of its randomtapeandB s randomtape halts within

tjxj steps

We stress that the time complexity so dened is indep endent of the contents of the

messages that machine A receives In other word it is an upp er b ound which holds for all

p ossible incoming messages In particular an interactivemachine with time complexity t

reads on input x only a prex of total length tjxj of the messages sent to it

Pro of systems

In general pro of systems are dened in terms of the verication pro cedure whichmaybe

viewed as one entity called the verier A pro of to a sp ecic claim is always considered

as coming from the outside which can b e viewed as another entity called the prover The

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

INTERACTIVE PROOF SYSTEMS

verication pro cedure itself do es not generate pro ofs but merely veries their validity

Interactive pro of systems are intended to capture whatever can b e eciently veried via

interaction with the outside In general the interaction with the outside maybevery

complex and may consist of many message exchanges as long as the total time sp entby

the verier is p olynomial

In light of the asso ciation of ecient pro cedures with probabilistic p olynomialtime

algorithms it is natural to consider probabilistic p olynomialtime veriers Furthermore

the veriers verdict of whether to accept or reject the claim is probabilistic and a b ounded

error probabilityisallowed The error can of course b e decreased to b e negligible by

rep eating the verication pro cedure suciently many times Lo osely sp eaking we require

that the prover can convince the verier of the validityofvalid statement while nob o dy can

fo ol the verier into b elieving false statements In fact it is only required that the verier

accepts valid statements with high probability whereas the probability that it accepts

a false statement is small regardless of the machine with which the verier interacts

In the following denition the veriers output is interpreted as its decision on whether to

accept or reject the common input Output is interpreted as accept whereas output

is interpreted as reject

Denition interactive pro of system Apair of interactive machines P V iscal led

an interactive pro of system for a language L if machine V is polynomialtime and the fol lowing

two conditions hold

Completeness For every x L

Prob hP V ix

Soundness For every x L and every interactive machine B

Prob hB V ix

Some remarks are in place We rst stress that the soundness condition refers to all

p otential provers whereas the completeness condition refers only to the prescrib ed prover

P Secondly the verier is required to b e probabilistic p olynomialtime while no re

source b ounds are placed on the computing p ower of the prover in either completeness or

soundness conditions Thirdly as in the case of BP P the error probability in the ab ove

denition can b e made exp onentially small by rep eating the interaction p olynomially

many times see b elow

Every language in NP has an interactive pro of system Sp ecicallyletL NP and

let R b e a witness relation asso ciated with the language L ie R is recognizable in

L L

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

p olynomialtime and L equals the set fx y st jy j p oly x x y R g Then

an interactive pro of for the language L consists of a prover that on input x L sends a

witness y as ab ove and a verier that up on receiving y on common input x outputs

if jy j polyjxj and x y R and otherwise Clearly when interacting with the

prescrib ed prover this verier will always accept inputs in the language On the other hand

no matter what a cheating prover do es this verier will never accept inputs not in the

language We p oint out that in this pro of system b oth parties are deterministic ie make

no use of their randomtap e It is easy to see that only languages in NP haveinteractive

pro of systems in which b oth parties are deterministic see Exercise

In other words NP can b e viewed as a a class of interactive pro of systems in which

the interaction is unidirectional ie from the prover to the verier and the verier is

deterministic and never errs In general interactive pro ofs both restrictions are waived

the interaction is bidirectional and the verier is probabilistic and may err with some small

probability Both bidirectional interaction and randomization seem essential to the p ower

of interactive pro of systems see further discussion in Chapter

Denition the class IP The class IP consists of al l languages having interactive

proof systems

By the ab ove discussion NP IP Since languages in BP P can b e viewed as having a

verier that decides on memb ership without anyinteraction it follows that BP P N P

IPWe remind the reader that it is not known whether BP P N P

We stress that the denition of the class IP remains invariant if one replaced the

constant b ounds in the completeness and soundness conditions bytwo functions c s

polyn p olyn

NI NI satisfying cn sn and cn sn Namely

polyn

Denition generalized interactive pro of Let c s NI NI be functions satisfying

cn sn for some polynomial pAn interactive pair P V is cal ledagen

eralized interactive proof system for the language Lwithcompleteness b ound c and

soundness b ound sif

mo died completeness For every x L

Prob hP V ix cjxj

mo died soundness For every x L and every interactive machine B

Prob hB V ix sjxj

def

The function g where gn cn sniscal led the acceptance gap of P V and the

def

function e where en maxf cn sngiscal led the error probability of P V

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

INTERACTIVE PROOF SYSTEMS

Prop osition The fol lowing threeconditions areequivalent

L IP Namely there exists a interactive proof system with completeness bound

for the language L and soundness bound

L has very strong interactive pro of systems For every polynomial pthere exists

an interactive proof system for the language L with error probability boundedabove

L has a very weak interactive pro of There exists a polynomial panda generalized

interactive proof system for the language L with acceptancegapboundedbelow by

pFurthermore completeness and soundness bounds for this system namely the

values cn and sncan becomputedintimepolynomial in n

Clearly either of the rst two items imply the third one including the requirementfor

eciently computable b ounds The ability to eciently compute completeness and sound

ness b ounds is used in proving the opp osite nontrivial direction The pro of is left as an

exercise ie Exercise

An Example Graph NonIsomorphism in IP

All examples of interactive pro of systems presented so far were degenerate eg the in

teraction if at all was unidirectional Wenow present an example of a nondegenerate

interactive pro of system Furthermore we presentaninteractive pro of system for a lan

guage not known to beinBP P N P Sp ecically the language is the set of pairs of

nonisomorphic graphs denoted GN I

Two graphs G V E and G V E are called isomorphic if there exists a

and onto mapping from the vertex set V to the vertex set V so that u v E if and

only if v u E The mapping if existing is called an isomorphism between the

graphs

Construction Interactive pro of system for Graph NonIsomorphism

Common Input Apairoftwographs G V E and G V E Suppose

without loss of generality that V f jV jg and similarly for V

Veriers rst Step V The verier selects at random one of the two input graphs

and sends to the prover a random isomorphic copyofthisgraph Namely the verier

selects uniformly f gandarandom permutation from the set of permutations

over the vertex set V The verier constructs a graph with vertex set V and edge set

def

F f uv u v E g

and sends V F to the prover

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Motivating Remark If the input graphs are nonisomorphic as the prover claims

then the prover should be able to distinguish not necessarily by an ecient algorithm

isomorphic copies of one graph from isomorphic copies of the other graph However

if the input graphs are isomorphic then a random isomorphic copy of one graph is

distributed identical ly to a random isomorphic copy of the other graph

Provers rst Step P Upon receiving a graph G V E from the verier the

prover nds a f g so that the graph G is isomorphic to the input graph G If

both satisfy the condition then is selected arbitrarily In case no f g

satises the condition is set to The prover sends to the verier

Veriers second Step V If the message receivedfrom the prover equals

chosen in Step V then the verier outputs ie accepts the common input

Otherwise the verier outputs ie rejects the common input

The verier program presented ab ove is easily implemented in probabilistic p olynomial

time We do not known of a probabilistic p olynomialtime implementation of the provers

program but this is not required Wenowshow that the ab ove pair of interactive machines

constitutes an interactive pro of system in the general sense for the language GN I Graph

NonIsomorphism

Prop osition The language GN I is in the class IP Furthermore the programs speci

ed in Construction constitute a generalizedinteractive proof system for GN I Namely

If G and G are not isomorphic ie G G GN I then the verier always

accept when interacting with the prover

If G and G are isomorphic ie G G GN I then no matter with what

machine the verier interacts it rejects the input with probability at least

pro of ClearlyifG and G are not isomorphic then no graph can b e isomorphic to b oth

G and G It follows that there exists a unique such that the graph G received by the

prover in Step P is isomorphic to the input graph G Hence found by the prover in

Step P always equals chosen in Step V Part follows

On the other hand if G and G are isomorphic then the graph G is isomorphic to

b oth input graphs Furthermore we will show that in this case the graph G yields no

information ab out and consequently no machine can on input G G and G set so

that it equal with probability greater than Details follow

Let b e a p ermutation on the vertex set of a graph G V E Then we denote by

G the graph with vertex set V and edge set f uv u v E g Let be a

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

INTERACTIVE PROOF SYSTEMS

random variable uniformly distributed over f g and b e a random variable uniformly

distributed over the p ermutations of the set V We stress that these two random variable

are indep endent We are interested in the distribution of the random variable G We

are going to show that although G is determined by the random variables and

the random variables and G are statistically indep endent In fact we show

Claim If the graphs G and G are isomorphic then for every graph G it holds that

Prob jG G Prob jG G

def def

pro of We rst claim that the sets S f G G and S f G G

are of equal cardinality This follows from the observation that there is a and onto

corresp ondence b etween the set S and the set S the corresp ondence is given by the

isomorphism b etween the graphs G and G Hence

Prob G G j Prob G G

Prob S

Prob G G j

Using Bayes Rule the claim follows

Using Claim it follows that for every pair G G of isomorphic graphs and for

every randomized pro cess R p ossibly dep ending on this pair it holds that

Prob RG Prob G G Prob RG jG G

Prob G G

Prob RG b Prob b jG G

bfg

Prob G G Prob RG f g

with equalityincaseR always outputs an element in the set f gPart of the prop o

sition follows

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Remarks concerning Construction

In the pro of system of Construction the verier always accepts inputs in the language

ie the error probability in these cases equals zero All interactive pro of systems we shall

consider will share this prop erty In fact it can b e shown that every interactive pro of system

can b e transformed into an interactive pro of system for the same language in whichthe

verier always accepts inputs in the language On the other hand as shown in Exercise

only languages in NP haveinteractive pro of system in which the verier always rejects

inputs not in the language

The fact that GN I IP whereas it is not known whether GN I NP is an indi

cation to the p ower of interaction and randomness in the context of theorem proving A

much stronger indication is provided by the fact that every language in PSPACE has an

interactive pro of system in fact IP equals PSPACE For further discussion see Chapter

Augmentation to the Mo del

For purp oses that will b ecome more clear in the sequel we augment the basic denition of

an interactive pro of system by allowing each of the parties to have a private input in addi

tion to the common input Lo osely sp eaking these inputs are used to capture additional

information available to each of the parties Sp ecically when using interactive pro of sys

tems as subproto cols inside larger proto cols the private inputs are asso ciated with the lo cal

congurations of the machines b efore entering the subproto col In particular the private

input of the prover maycontain information which enables an ecient implementation of

the provers task

Denition interactive pro of systems revisited

An interactive machine is dened as in Denition except that the machine has

an additional readonly tapecal led the auxiliaryinputtap e The contents of this tape

is cal l auxiliary input

The complexity of such an interactive machine is stil l measured as a function of the

common input Namely the interactive machine A has time complexity t NI NI

if for every interactive machine B and every string x it holds that when interacting

with machine B oncommon input x machine A always ie regardless of contents

of its randomtape and its auxiliaryinputtape as wel l as the contents of B s tapes

halts within tjxj steps

We denote by hAy Bz ix the random variable representing the local output of

B when interacting with machine A on common input x when the randominput to

each machine is uniformly and independently chosen and A resp B has auxiliary

input y resp z

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

Apair of interactive machines P V iscal ledaninteractive pro of system for a

language L if machine V is polynomialtime and the fol lowing two conditions hold

Completeness For every x Lthere exists a string y such that for every

z f g

Prob hP y Vz ix

Soundness For every x L every interactive machine B and every y z

f g

Prob hB y V z ix

We stress that when saying that an interactivemachine is p olynomialtime we mean

that its runningtime is p olynomial in the length of the common input Consequentlyitis

not guaranteed that such a machine has enough time to read its entire auxiliary input

ZeroKnowledge Pro ofs Denitions

In this section weintro duce the notion of a zeroknowledge interactive pro of system and

present a nontrivial example of such a system sp ecically to claims of the form the

following two graphs are isomorphic

Perfect and Computational ZeroKnowledge

Lo osely sp eaking wesay that an interactive pro of system P V for a language L is zero

knowledge if whatever can b e eciently computed after interacting with P on input x L

can also b e eciently computed from x without anyinteraction We stress that the ab ove

holds with resp ect to any ecientwayofinteracting with P not necessarily the way dened

by the verier program V Actually zeroknowledge is a prop erty of the prescrib ed prover

P It captures P s robustness against attempts to gain knowledge byinteracting with it A

straightforward way of capturing the informal discussion follows

Let P V beaninteractive pro of system for some language LWesay that

P V actually P isperfect zeroknow ledge if for every probabilistic p olynomial

time interactivemachine V there exists an ordinary probabilistic p olynomial

time algorithm M so that for every x L the following two random variables

are identically distributed

hP V ix ie the output of the interactivemachine V after interacting

with the interactive machine P on common input x

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

M x ie the output of machine M on input x

Machine M is called a simulator for the interaction of V with P

We stress that we require that for every V interacting with P not merely for V

there exists a p erfect simulator M This simulator although not having access to the

interactivemachine P is able to simulate the interaction of V with P Thisfactistaken

as evidence to the claim that V did not gain any knowledge from P since the same output

could have b een generated without anyaccesstoP

Note that every language in BP P has a p erfect zeroknowledge pro of system in which

the prover do es nothing and the verier checks by itself whether to accept the common

input or not To demonstrate the zeroknowledge prop erty of this dummy prover one

may present for every verier V a simulator M whichisessentially identical to V except

that the communication tap es of V are considered as ordinary work tap es of M

Unfortunately the ab oveformulation of p erfect zeroknowledge is slightly to o strict to b e

useful We relax the formulation by allowing the simulator to fail with b ounded probability

to pro duce an interaction

Denition p erfect zeroknowledge Let P V beaninteractive proof system for

some language L We say that P V is p erfect zeroknowledge if for every probabilistic

polynomialtime interactive machine V there exists a probabilistic polynomialtime algo

rithm M so that for every x L the fol lowing two conditions hold

With probability at most on input x machine M outputs a special symbol denoted

ie ProbM x

Let m x bea random variable describing the distribution of M x conditionedon

M x ie Probm x ProbM x jM x for every

f g Then the fol lowing random variables are identical ly distributed

hP V ix ie the output of the interactive machine V after interacting with

the interactive machine P on common input x

m x ie the output of machine M on input xconditionedonnotbeing

Machine M is cal leda p erfect simulator for the interaction of V with P

Condition ab ove can b e replaced by a stronger condition requiring that M outputs

the sp ecial symb ol ie only with negligible probabilityFor example one can require

pjxj

that on input x machine M outputs with probability b ounded ab oveby for

any p olynomial p see Exercise Consequently the statistical dierence b etween the

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

random variables hP V ix and M x can b e made negligible in jxj see Exercise

Hence whatever the verier eciently computes after interacting with the prover can b e

eciently computed up to an overwhelmingly small error by the simulator and hence by

the verier himself

Following the spirit of Chapters and we observe that for practical purp oses there

is no need to b e able to p erfectly simulate the output of V after interacting with P

Instead it suces to generate a probability distribution which is computationally indis

tinguishable from the output of V after interacting with P The relaxation is consistent

with our original requirement that whatever can b e eciently computed after interacting

with P on input x L can also b e eciently computed from x without anyinteraction

The reason b eing that we consider computationally indistinguishable ensembles as b eing

the same Before presenting the relaxed denition of general zeroknowledge we recall the

denition of computationally indistinguishabl e ensembles Here we consider ensembles in

dexed by strings from a language LWesay that the ensembles fR g and fS g are

x xL x xL

computationally indistinguishable if for every probabilistic p olynomialtime algorithm D

for every p olynomial p and all suciently long x L it holds that

jProbD x R ProbD x S j

x x

pjxj

Denition computational zeroknowledge Let P V beaninteractive proof sys

tem for some language L We say that P V is computational zeroknowledge or just

zeroknowledge if for every probabilistic polynomialtime interactive machine V thereex

ists a probabilistic polynomialtime algorithm M so that the fol lowing two ensembles are

computational ly indistinguishable

fhP V ixg ie the output of the interactive machine V after interacting with

the interactive machine P on common input x

fM xg ie the output of machine M on input x

Machine M is cal leda simulator for the interaction of V with P

The reader can easily verify see Exercise that allowing the simulator to output

the symbol with probability b ounded ab ovebysay and considering the conditional

output distribution as done in Denition do es not add to the p ower of Denition

We stress that b oth denitions of zeroknowledge apply to interactive pro of systems in

the general sense ie having any nonnegligible gap in the acceptance probabilities for

inputs inside and outside the language In fact the denitions of zeroknowledge apply to

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

any pair of interactive machines actually to eachinteractivemachine Namelywemay

say that the interactivemachine A is zeroknow ledge on L if whatever can b e eciently

computed after interacting with A on common input x L can also b e eciently computed

from x itself

An alternativeformulation of zeroknowledge

An alternative formulation of zeroknowledge considers the veriers view of the interaction

with the prover rather than only the output of the verier after suchaninteraction By the

veriers view of the interaction we mean the entire sequence of the lo cal congurations of

the verier during an interaction execution with the prover Clearly it suces to consider

only the contents of the randomtap e of the verier and the sequence of messages that the

verier has received from the prover during the execution since the entire sequence of lo cal

congurations as well as the nal output are determine by these ob jects

Denition zeroknowledge alternativeformulation Let P V L and V beas

x arandom variable describing the contents of in Denition We denote by view

the randomtapeofV and the messages V receives from P during a joint computation on

common input x We say that P V is zeroknowledge if for every probabilistic polynomial

time interactive machine V there exists a probabilistic polynomialtime algorithm M so

xg and fM xg arecomputational ly indistinguishable that the ensembles fview

xL xL

A few remarks are in place Denition is obtained from Denition by replac

ing hP V ix for view x The simulator M used in Denition is related but not

equal to the simulator used in Denition yet this fact is not reected in the text of

these denitions Clearly V x can b e computed in deterministic p olynomialtime from

x for every V Although the opp osite direction is not always true Denition view

is equivalent to Denition see Exercise The latter fact justies the use of Def

inition which is more convenienttowork with although it seems less natural than

Denition An alternative formulation of p erfect zeroknowledge is straightforward

and clearly it is equivalent to Denition

Complexity classes based on ZeroKnowledge

Denition class of languages having zeroknowledge pro ofs We denote by ZK

also CZ K the class of languages having computational zeroknow ledge interactive proof

systems Likewise PZK denotes the class of languages having p erfect zeroknow ledge in

teractive proof systems

Clearly BPP P Z K CZ K IP Webelieve that the rst two inclusions are

strict Assuming the existence of nonuniformly oneway functions the last inclusion is

an equality ie CZ K IP See Prop osition and Theorems and

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

Exp ected p olynomialtime simulators

The formulation of p erfect zeroknowledge presented in Denition is dierent from

the standard denition used in the literature The standard denition requires that the

simulator always outputs a legal transcript which has to b e distributed identically to the

real interaction yet it allows the simulator to run in expected p olynomialtime rather than

in strictly p olynomialtime time We stress that the exp ectation is taken over the coin

tosses of the simulator whereas the input to the simulator is xed

Denition p erfect zeroknowledge lib eral formulation We say that P V is p er

fect zeroknowledge in the lib eral sense if for every probabilistic polynomialtime interactive

machine V there exists an exp ected polynomialtime algorithm M so that for every x L

the random variables hP V ix and M x are identical ly distributed

We stress that by probabilistic polynomialtime we mean a strict b ound on the run

ning time in all p ossible executions whereas by expectedpolynomialtime we allownon

p olynomialtime executions but require that the runningtime is p olynomial on the aver

age Clearly Denition implies Denition see Exercise Interestingly there

exists interactive pro ofs which are p erfect zeroknowledge with resp ect to the lib eral deni

tion but not known to b e p erfect zeroknowledge with resp ect to Denition We prefer

to adopt Denition rather than Denition b ecause wewanted to avoid the notion

of exp ected p olynomialtime that is much more subtle than one realizes at rst glance

Aparenthetical remark concerning the notion of average polynomialtimeThe

naiveinterpretation of exp ected p olynomialtime is having average runningtime

that is boundedbyapolynomial in the input length This denition of exp ected

p olynomialtime is unsatisfactory since it is not closed under reductions and is

to o machine dependent Both aggravating phenomenon follow from the fact

that a function mayhaveanaverage sayover f g that is b ounded by

p olynomial in n and yet squaring the function yields a function whichisnot

b ounded by a p olynomial in n Hence a b etter interpretation of exp ected

p olynomialtime is having runningtime that is boundedbyapolynomial in a

function which has average linear growing rate

Furthermore the corresp ondence b etween average p olynomialtime and ecient computa

tions is more controversial than the more standard asso ciation of strict p olynomialtime

with ecient computations

An analogous discussion applies also to computational zeroknowledge More sp ecically

Denition requires that the simulator works in p olynomialtime whereas a more lib eral

notion allows it to work in expected p olynomialtime

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

For sake of elegancy it is customary to mo dify the denitions allowing expected p olynomial

time simulators by requiring that suchsimulators exist also for the interaction of expected

p olynomialtime veriers with the prover

An Example Graph Isomorphism in PZK

As mentioned ab ove every language in BP P has a trivial ie degenerate zeroknowledge

pro of system Wenowpresent an example of a nondegenerate zeroknowledge pro of system

Furthermore wepresent a zeroknowledge pro of system for a language not known to b e in

BP P Sp ecicall y the language is the set of pairs of isomorphic graphs denoted GI see

denition in Section

Construction Perfect ZeroKnowledge pro of for Graph Isomorphism

Common Input Apair of two graphs G V E and G V E Let bean

isomorphism between the input graphs namely is a and onto mapping of the

vertex set V to the vertex set V so that u v E if and only if v u E

Provers rst Step P The prover selects a random isomorphic copy of G and

sends it to the verier Namely the prover selects at random with uniform probability

distribution a permutation from the set of permutations over the vertex set V and

constructs a graph with vertex set V and edge set

def

F f uv u v E g

The prover sends V F to the verier

Motivating Remark If the input graphs are isomorphic as the prover claims then

the graph sent in step P is isomorphic to both input graphs However if the input

graphs are not isomorphic then no graph can be isomorphic to both of them

Veriers rst Step V Upon receiving a graph G V E from the prover the

veriers asks the prover to show an isomorphism between G and one of the input

graph chosen at random by the verier Namely the verier uniformly selects

f g and sends it to the prover who is supposed to answer with an isomorphism

between G and G

Provers second Step P If the message receivedfrom the verier equals then

the prover sends to the verier Otherwise ie the prover sends ie

def

the composition of on denedas v v to the verier Remark

the prover treats any as

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

Veriers second Step V If the message denoted receivedfrom the prover is an

isomorphism between G and G then the verier outputs otherwise it outputs

Let use denote the provers program by P

The verier program presented ab ove is easily implemented in probabilistic p olynomial

time In case the prover is given an isomorphism b etween the input graphs as auxiliary input

also the provers program can b e implemented in probabilistic p olynomialtime Wenow

show that the ab ovepairofinteractivemachines constitutes a zeroknow ledge interactive

pro of system in the general sense for the language GI Graph Isomorphism

Prop osition The language GI has a perfect zeroknow ledge interactive proof system

Furthermore the programs specied in Construction satisfy

If G and G are isomorphic ie G G GI then the verier always accepts

when interacting with the prover

If G and G are not isomorphic ie G G GI then no matter with what

machine the verier interacts it rejects the input with probability at least

The above prover ie P isperfect zeroknow ledge Namely for every probabilistic

polynomialtime interactive machine V there exists a probabilistic polynomialtime

def

algorithm M outputting with probability at most so that for every x G G

GI the fol lowing two random variables are identical ly distributed

x ie the view of V after interacting with P oncommon input x view

m x ie the output of machine M on input xconditioned on not being

A zeroknowledge interactive pro of system for GI with error probability only in the

soundness condition can b e derived by executing the ab ove proto col sequentially k times

We stress that in each rep etition of the ab ove proto col b oth the prescrib ed prover and

verier use coin tosses which are indep endent of the coins used in the other rep etitions of the

proto col For further discussion see Section We remark that k parallel executions will

decrease the error in the soundness condition to as well but the resulting interactive

pro of is not known to b e zeroknowledge in case k grows faster than logarithmic in the input

length In fact we b elieve that suchaninteractive pro of is not zeroknowledge For further

discussion see Section

We stress that it is not known whether GI BPP Hence Prop osition asserts the

existence of p erfect zeroknowledge pro ofs for languages not known to b e in BP P

pro of Werstshow that the ab ove programs indeed constitute a general interactive pro of

system for GI Clearly if the input graphs G and G are isomorphic then the graph G

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

constructed in step P is isomorphic to b oth of them Hence if each party follows its

prescrib ed program then the verier always accepts ie outputs Part follows On

the other hand if G and G are not isomorphic then no graph can b e isomorphic to b oth

G and G It follows that no matter how the p ossibly cheating prover constructs G there

exists f g so that G and G are not isomorphic Hence when the verier follows its

program the verier rejects ie outputs with probability at least Part follows

It remains to show that P is indeed p erfect zeroknowledge on GI This is indeed the

dicult part of the entire pro of It is easy to simulate the output of the verier sp ecied

in Construction since its output is identically on inputs in the language GI It is

also not hard to simulate the output of a verier whichfollows the program sp ecied in

Construction except that at termination it output the entire transcript of its interac

tion with P see Exercise The dicult part is to simulate the output of an ecient

verier which deviates arbitrarily from the sp ecied program

We will use here the alternative formulation of p erfect zeroknowledge and showhow

to simulate V s view of the interaction with P forevery probabilistic p olynomialtime

interactive machine V Asmentioned ab ove it is not hard to simulate the veriers view

of the interaction with P in case the verier follows the sp ecied program However we

need to simulate the view of the verier in the general case in which it uses an arbitrary

p olynomialtime interactive program Following is an overview of our simulation ie of

our construction of a simulator M for each V

The simulator M incorp orates the co de of the interactive program V On input

G G the simulator M rst selects at random one of the input graphs ie either

G or G and generates a random isomorphic copy denoted G of this input graph In

doing so the simulator b ehaves dierently from P but the graph generated ie G is

distributed identically to the message sent in step P of the interactiveproofSay that

the simulator has generated G by randomly p ermuting G Then if V asks to see the

isomorphism b etween G and G the simulator can indeed answer correctly and in doing

so it completes a simulation of the veriers view of the interaction with P However

if V asks to see the isomorphism b etween G and G then the simulator which unlike

P do es not know hasnoway to answer correctly and we let it halt with output

We stress that the simulator has no wayofknowing whether V will ask to see an

isomorphism to G or G The p oint is that the simulator can try one of the p ossibilities

at random and if it is lucky which happ ens with probability exactly then it can output

a distribution whichisidentical to the view of V when interacting with P on common

input G G A detailed description of the simulator follows

def

Simulator M On input x G G simulator M pro ceeds as follows

Setting the randomtapeofV Let q denote a p olynomial b ounding the running

q jxj

time of V The simulator M starts by uniformly selecting a string r f g

to b e used as the contents of the randomtap e of V

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

Simulating the provers rst step P The simulator M selects at random with

uniform probability distribution a bit f g and a p ermutation from the set

of p ermutations over the vertex set V It then constructs a graph with vertex set V

and edge set

def

F f uv u v E g

def

Set G V F

Simulating the veriers rst step V The simulator M initiates an execution of

V by placing x on V s commoninputtap e placing r selected in step ab ove on

V s randomtap e and placing G constructed in step ab ove on V s incoming

messagetap e After executing a p olynomial numb er of steps of V the simulator can

read the outgoing message of V denoted To simplify the rest of the description

we normalize by setting if and leave unchanged if

Simulating the provers second step P If then the simulator halts with

output x rG

Failure of the simulation Otherwise ie the simulator halts with output

Using the hyp othesis that V is p olynomialtime it follows that so is the simulator M

It is left to show that M outputs with probabilityatmost and that conditioned

on not outputting the simulators output is distributed as the veriers view in a real

interaction with P The following claim is the key to the pro of of b oth claims

Claim Supp ose that the graphs G and G are isomorphic Let b e a random

variable uniformly distributed in f g and G b e a random variable indep endentof

describing the graph obtained from the graph G by randomly relab ellin g its no des cf

Claim Then for every graph G it holds that

Prob jG G Prob jG G

Claim is identical to Claim used to demonstrate that Construction consti

tutes an interactive pro of for GN I As in the rest of the pro of of Prop osition it follows

that any random pro cess with output in f ggiven G outputs with probability

exactly Hence given G constructed by the simulator in step the veriers program

yields normalized so that with probability exactly We conclude that the simu

lator outputs with probability It remains to prove that conditioned on not outputting

the simulators output is identical to V s view of real interactions Namely

Claim Let x G G GI Then for every string r graph H andpermutation

it holds that

xx rH ProbM xx rH j M x Prob view

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

pro of Let m x describ e M x conditioned on its not b eing We rst observe that b oth

m x and view x are distributed over quadruples of the form x r with uniformly

q jxj

distributed r f g Let x r b e a random variable describing the last two elements

of view x conditioned on the second elementequalsr Similarly let x r describ e the

last two elements of m x conditioned on the second element equals r Clearlyitsuces

to show that x r and x r are identically distributed for every x and r Observe that

once r is xed the message sentby V on common input x randomtap e r and incoming

message H is uniquely dened Let us denote this message by v x rH Weshow that

b oth x r and x r are uniformly distributed over the set

n o

def

C H H G

v xrH

where G denotes the graph obtained from G by relab ellin g the vertices using the p er

mutation ie if G V E then G V F sothatu v E i uv F

The pro of of this statement is rather tedious and unrelated to the sub jects of this b o ok

and hence can b e skipp ed with no damage

The pro of is slightly nontrivial b ecause it relates at least implicitly to the

automorphism group of the graph G ie the set of p ermutations for which

G is identical not just isomorphic to G For simplicity consider rst

the sp ecial case in which the automorphism group of G consists of merely the

identitypermutation ie G G if and only if is the identity p ermuta

tion In this case H C if and only if H is isomorphic to b oth G

and G and is the isomorphism b etween H and G Hence C con

v xrH

tains exactly jV jpairseach containing a dierent graph H as the rst element

In the general case H C if and only if H is isomorphic to b oth G

and G and is an isomorphism b etween H and G We stress that

v xrH

v x rH is the same in all pairs containing H Let autG denotes the size

of the automorphism group of G Then each H isomorphic to G app ears in

exactly autG pairs of C and each such pair contain a dierent isomorphism

between H and G

v xrH

We rst consider the random variable x r describing the sux of m x

Recall that x r is dened by the following two step random pro cess In the

rst step one selects uniformly a pair over the set of pairs f gtimes

permutation and sets H G In the second step one outputs ie sets

x r to G if v x rH and ignores the pair otherwise

Hence eachgraph H isomorphic to G is generated at the rst step by exactly

autG dierent pairs ie the pairs satisfying H G and by

exactly autG dierent pairs ie the pairs satisfying H G

All these autG pairs yield the same graph H and hence lead to the same

value of v x rH It follows that out of the autG pairs yielding

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

the graph H G only the pairs satisfying v x rH lead to an output

Hence for each H which is isomorphic to G the probabilitythatx r

H equals autG jV j Furthermore for each H which is isomorphic to

if H G

v xrH

jV j

Prob x r H

otherwise

Hence x r is uniformly distributed over C

Wenow consider the random variable x r describing the sux of the

veriers view in a real interaction with the prover Recall that x r is

dened by selecting uniformly a p ermutation over the set V and setting

x r G if v x rG and x r G otherwise

where is the isomorphism b etween G and G Clearly for each H whichis

isomorphic to G the probability that x r H equals autG jV j

Furthermore for each H which is isomorphic to G

v xrH

jV j

Prob x r H

otherwise

v xrH

Observing that H G if and only if we conclude

v xrH

that x r and x r are identically distributed

The claim follows

This completes the pro of of Part of the prop osition

ZeroKnowledge wrt Auxiliary Inputs

The denitions of zeroknowledge presented ab ove fall short of what is required in practical

applications and consequently a minor mo dication should b e used We recall that these

denitions guarantee that whatever can b e eciently computed after interaction with the

prover on any common input can b e eciently computed from the input itselfHowever

in typical applications eg when an interactive pro of is used as a subproto col inside a

bigger proto col the verier interacting with the prover on common input xmayhave

some additional apriori information enco ded by a string z whichmay assist it in its

attempts to extract knowledge from the prover This danger may b ecome even more

acute in the likely case in which z is related to xFor example consider the proto col of

Construction and the case where the verier has apriori information concerning an

isomorphism b etween the input graphs What is typically required is that whatever can b e

eciently computed from x and z after interaction with the prover on any common input

x can b e eciently computed from x and z without anyinteraction with the prover This

requirementisformulated b elow using the augmented notion of interactive pro ofs presented in Denition

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Denition zeroknowledge revisited Let P V beaninteractive proof for a lan

guage L as in Denition Denote by P x the set of strings y satisfying the complete

ness condition with respect to x L ie for every z f g Prob hP y V z ix

We say that P V is zeroknowledge with resp ect to auxiliary input auxiliary input zero

knowledge if for every probabilistic polynomialtime interactive machine V there exists a

probabilistic algorithm M running in time polynomial in the length of its rst input so that

the fol lowing two ensembles arecomputational ly indistinguishable when the distinguishing

gap is considered as a function of jxj

fhP y V z ixg

xLy P xz fg

fM x z g

xLz fg

Namely for every probabilistic algorithm D with runningtime polynomial in length of

the rst input every polynomial p and al l suciently long x Lally P x and

z f g it holds that

jProbD x z hP y V z ix ProbD x z M x z j

pjxj

In the ab ove denition y represents apriori information to the prover whereas z repre

sents apriori information to the verier Both y and z may dep end on the common input

xWe stress that the lo cal inputs ie y and z may not b e known even in part to the

counterpart We also stress that the auxiliary input z is also given to the distinguishing

algorithm whichmay b e thought of as an extension of the verier

Recall that by Denition saying that the interactivemachine V is probabilistic

p olynomialtime means that its runningtime is b ounded by a p olynomial in the length

of the common input Hence the verier program the simulator and the distinguishing

algorithm all run in time p olynomial in the length of x and not in time p olynomial in the

total length of all their inputs This convention is essential in many resp ects For example

having allowed even one of these machines to run in time prop ortional to the length of

the auxiliary input would have collapsed computational zeroknowledge to p erfect zero

knowledge eg by considering veriers which run in time p olynomial in the commoninput

yet havehuge auxiliary inputs of length exp onential in the commoninput

Denition refers to computational zeroknowledge A formulation of p erfect zero

knowledge with resp ect to auxiliary input is straightforward We remark that the p erfect

zeroknowledge pro of for Graph Isomorphism presented in Construction is in fact

p erfect zeroknowledge with resp ect to auxiliary input This fact follows easily by a minor

augmentation to the simulator constructed in the pro of of Prop osition ie when

invoking the verier the simulator should provide it with the auxiliary input whichis

given to the simulator In general a demonstration of zeroknowledge can b e extended

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

to yield zeroknowledge with resp ect to auxiliary input provided that the simulator used

in the original demonstration works byinvoking the veriers program as a blackbox All

simulators presented in this b o ok have this prop erty

Implicit nonuniformity in Denition

The nonuniform nature of Denition is captured by the fact that the simulator gets

an auxiliary input It is true that this auxiliary input is also given to b oth the verier

program and the simulator however if it is suciently long then only the distinguisher

can makeany use of its sux It follows that the simulator guaranteed in Denition

pro duces output that is indistinguishable from the real interactions also by nonuniform

p olynomialsize machines Namelyforevery even nonuniform p olynomialsize circuit

family fC g every p olynomial p and all suciently large ns all x L f g

nNI

all y P x and z f g

jProbC x z hP y V z ix ProbC x z M x z j

n n

pjxj

Following is a sketch of the pro of We assume to the contrary that there exists a p olynomial

size circuit family fC g such that for innitely many ns there exists triples x y z

nNI

for which C has a nonnegligible distinguishing gap We deriveacontradiction by incorp o

rating the description of C together with the auxiliary input z into a longer auxiliary input

denoted z This is done in a waythatboth V and M have no sucient time to reach

the description of C For example let q b e a p olynomial b ounding the runningtime of

b oth V and M aswell as the size of C Then we let z b e the string which results by

padding z with blanks to a total length of q n and app ending the description of the circuit

C at its end ie if jz j qnthenz is a prex of z Clearly M x z M x z

and hP y V z ix hP y V z ix On the other hand by using a circuit evaluat

ing algorithm we get an algorithm D such that D x z C x z and contradiction

follows

Sequential Comp osition of ZeroKnowledge Pro ofs

An intuitive requirement that a denition of zeroknowledge pro ofs must satisfy is that

zeroknowledge pro ofs are closed under sequential comp osition Namely if one executes one

zeroknowledge pro of after another then the comp osed execution must b e zeroknowledge

The same should remain valid even if one executes p olynomially many pro ofs one after

the other Indeed as we will shortly see the revised denition of zeroknowledge ie

Denition satises this requirement Interestingly zeroknowledge pro ofs as dened

in Denition are not closed under sequential comp osition and this fact is indeed another

indication to the necessity of augmenting this denition as done in Denition

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

In addition to its conceptual imp ortance the Sequential Comp osition Lemma is an

imp ortant to ol in the design of zeroknowledge pro of systems Typically these pro of system

consists of many rep etitions of a atomic zeroknowledge pro of Lo osely sp eaking the atomic

pro of provides some but not much statistical evidence to the validity of the claim By

rep eating the atomic pro of suciently many times the condence in the validity of the claim

is increased More precisely the atomic pro of oers a gap b etween the accepting probability

of string in the language and strings outside the language For example in Construction

pairs of isomorphic graphs ie inputs in GI are accepted with probability whereas pairs

of nonisomorphic graphs ie inputs not in GI are accepted with probability at most

By rep eating the atomic pro of the gap b etween the two probabilities is further increased

For example rep eating the pro of of Construction for k times yields a new interactive

pro of in which inputs in GI are still accepted with probability whereas inputs not in GI

The Sequential Comp osition Lemma guarantees are accepted with probabilityatmost

that if the atomic pro of system is zeroknowledge then so is the pro of system resulting by

rep eating the atomic pro of p olynomially many times

Before we state the Sequential Comp osition Lemma we remind the reader that the

zeroknowledge prop ertyofaninteractive pro of is actually a prop erty of the prover Also

the prover is required to b e zeroknowledge only on inputs in the language Finallywe

stress that when talking on zeroknowledge with resp ect to auxiliary input we refer to all

p ossible auxiliary inputs for the verier

Lemma Sequential Comp osition Lemma Let P beaninteractive machine ie

aprover which is zeroknowledge with resp ect to auxiliary input on some language L

Suppose that the last message sent by P oninputxbearsaspecial end of proof symbol

Let Q beapolynomial and let P be an interactive machine that on common input

xproceeds in Qjxj phases each of them consisting of running P on common input x

We stress that in case P is probabilistic the interactive machine P uses independent coin

tosses for each of the Qjxj phases Then P is zeroknow ledge with respect to auxiliary

input on LFurthermore if P is perfect zeroknow ledge with respect to auxiliary input

then so is P

The convention concerning end of pro of is intro duced for technical purp oses and is re

dundant in all known provers for which the numb er of messages sent is easily computed from

the length of the common input Clearlyevery machine P can b e easily mo died so that

its last message b ears an appropriate symb ol as assumed ab ove and doing so preserves

the zeroknowledge prop erties of P as well as completeness and soundness conditions

The Lemma remain valid also if one allows auxiliary input to the prover The extension

is straightforward The lemma ignores other asp ects of rep eating an interactive pro of several

times sp ecically the eect on the gap b etween the accepting probability of inputs inside

and outside of the language This asp ect of rep etition is discussed in the previous section see also Exercise

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

Pro of Let V be an arbitrary probabilistic p olynomialtime interactive machine interacting

with the comp osed prover P Our task is to construct a p olynomialtime simulator

M whichsimulates the real interactions of V with P Following is a very high level

description of the simulation The key idea is to simulate the real interaction on common

input x in Qjxj phases corresp onding to the phases of the op eration of P Each phase

of the op eration of P is simulated using the simulator guaranteed for the atomic prover

P The information accumulated by the verier in each phase is passed to the next phase

using the auxiliary input

The rst step in carryingout the ab ove plan is to partition the execution of an arbitrary

into phases The partition may not exist in the co de of the program interactive machine V

V and yet it can b e imp osed on the executions of this program This is done using the

phase structure of the prescrib ed prover P which is induced by the end of pro of symbols

Hence we claim that no matter how V op erates the interaction of V with P on common

input x can b e captured by Qjxj successiveinteraction of a related machine denoted V

with P Namely

Claim There exists a probabilistic p olynomialtime V so that for every common

input x and auxiliary input z it holds that

Qjxj

hP V z ix Z

def def

i i

where Z z and Z hP V Z ix

Qjxj

Namely Z is a random variable describing the output of V after Qjxj successive

interactions with P on common input x where the auxiliary input of V in the i

th i

interaction equals the output of V after the i interaction ie Z

pro of Consider an interaction of V z with P on common input xMachine V can b e

slightly mo died so that it starts its execution by reading the commoninput the random

input and the auxiliaryinput into sp ecial regions in its worktap e and never accesses the

ab ove readonly tap es again Likewise V is mo died so that it starts eachactive p erio d

by reading the current incoming message from the communicationtap e to a sp ecial region

in the work tap e and never accesses the incoming messagetap e again during this p erio d

Actually the ab ove description should b e mo died so that V copies only a p olynomially

long in the common input prex of each of these tap es the p olynomial b eing the one

b ounding the running time of V

Considering the contents of the worktap e of V at the end of eachoftheQjxj phases

of interactions with P naturally leads us to the construction of V Namely on common

input x and auxiliary input z machine V starts by copying z into the worktap e of V

Next machine V simulates a single phase of the interaction of V with P on input x

starting with the ab ovecontents of the worktap e of V instead of starting with an empty

worktap e The invoked machine V regards the communicationtap es of machine V as

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

its own communicationtap es Finally V terminates by outputting the current contents

of the worktap e of V Actually the ab ove description should b e slightly mo died to

deal dierently with the rst phase in the interaction with P Sp ecically V copies z

into the worktap e of V only if z enco des a contents of the worktap e of V we assume

wlog that the contents of the worktap e of V is enco ded dierently from the enco ding

of an auxiliary input for V In case z enco des an auxiliary input to V machine V

invokes V on an emptyworktap e and V regards the readable tap es of V ie common

inputtap e the randominputtap e and the auxiliaryinputtap e as its own Observe that

def

Z hP V z ix describ es the contents of the worktap e of V after one phase and

def

i i

Z Z ix describ es the contents of the worktap e of V after i phases hP V

The claim follows

Since V is a p olynomialtime interactivemachine with auxiliary input interacting

with P it follows by the lemmas hyp othesis that there exists a probabilistic machine which

simulates these interactions in time p olynomial in the length of the rst input Let M

denote this simulator Wemay assume without loss of generality that with overwhelmingly

high probability M halts with output as we can increase the probability of output by

successive applications of M Furthermore for sake of simplicitywe assume in the rest of

this pro of that M always halts with output Namely for every probabilistic p olynomial

time in x algorithm D every p olynomial p all suciently long x L and all z f g

wehave

jProbD x z hP V z ix ProbD x z M x z j

pjxj

We are now ready to present the construction of a simulator M thatsimulates the

real output of V after interaction with P Machine M uses the ab ove guaranteed

simulator M On input x z machine M sets z z and pro ceeds in Qjxj phases

th i i

In the i phase machine M computes z by running machine M on input x z

Qjxj

After Qjxj phases are completed machine M stops outputting z

Clearly machine M constructed ab ove runs in time p olynomial in its rst input For

nonconstant Q it is crucial here that the runningtime of M is p olynomial in the length

of the rst input rather than b eing p olynomial in the length of b oth inputs It is left

to showthatmachine M indeed pro duces output which is p olynomially indistinguishabl e

from the output of V after interacting with P Namely

Claim For every probabilistic algorithm D with runningtime p olynomial in its rst

input every p olynomial p all suciently long x L and all z f g wehave

jProbD x z hP V z ix ProbD x z M x z j

pjxj

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS DEFINITIONS

pro of sketchWeuseahybrid argument In particular we dene the following Qjxj

hybrids The i hybrid i Qjxj corresp onds to the following random pro cess We

rst let V interact with P for i phases starting with common input x and auxiliary input

i th

z and denote by Z the output of V after the i phase We next rep eatedly iterate M

for the remaining Qm k phases In b oth cases we use the output of the previous phase

as auxiliary input to the new phase Formally the hybrid H is dened as follows

def

i i

H x z M x Z

Qmi

def def

j j

where Z z and Z hP V Z ix

def def

M x z x z and M x z M x M x z

j j

th Qjxj

Using Claim the Qjxj hybrid ie H x z equals hP V z ix On the

other hand recalling the construction of M we see that the zero hybrid ie H x z

equals M x z Hence all that is required to complete the pro of is to show that every two

adjacenthybrids are p olynomially indistinguishabl e as this would imply that the extreme

Qm th

hybrids H and H are indistinguishabl e to o To this end we rewrite the i and

i hybrids as follows

i i

H x z M x hP V Z ix

Qjxji

i i

H x z M x M x Z

Qjxji

where Z is as dened ab ove in the denition of the hybrids

Using an averaging argument it follows that if an algorithm D distinguishes the hy

i i

brids H x z and H x z then there exists a z so that algorithm D distinguishes

the random variables M x hP V z ix and M x M x z at least as

Qjxji Qjxji

well Incorp orating algorithm M into D we get a new algorithm D with running time

p olynomially related to the former algorithms which distinguishes the random variables

x z hP V z ix and x z M x z at least as well Further details are presented

b elow Contradiction to the hyp othesis that M simulates P V follows

The lemma follows

Further details concerning the pro of of Claim The pro of of Claim is

rather sketchy The main thing which is missing are details concerning the way in which

an algorithm contradicting the hyp othesis that M is a simulator for P V is derived

from an algorithm contradicting the statement of Claim These details are presented

b elow and the reader is encouraged not to skip them

Let us start with the nonproblematic part We assume to the contradiction that

there exists a probabilistic p olynomialtime algorithm D and a p olynomial p so that

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

for innitely many x L there exists z f g such that

jProbD x z hP V z ix ProbD x z M x z j

pjxj

It follows that for every such x and z there exists an i f Qjxjg such that

i i

jProbD x z H x z ProbD x z H x z j

Qjxj pjxj

def

th st

Denote n Qn pn Combining the denition of the i and i hybrids with

an averaging argument it follows that for each such x z and i there exists a z in the

supp ort of Z dened as ab ove such that

jProbD x z M hP V z ix

Qjxji

M x z j jxj ProbD x z M

Qjxji

This almost leads to the desired contradiction Namely the random variables x z hP V z ix

and x z M x z can b e distinguished using algorithms D and M provided we

know i The problem is resolved using the fact p ointed out at the end of Subsection

that the output of M is undistinguished from the interactions of V with the prover even

with resp ect to nonuniform p olynomialsize circuits Details follow

We construct a p olynomialsize circuit family denoted fC g which distinguishes x z hP V z ix

and x z M x z for the ab ovementioned x z pairs On input x supp osedly

in L f g and supp osedly in either x z hP V z ix or x z M x z

the circuit C incorp orating the ab ovementioned i uses algorithm M to compute

M x Next C using algorithm D computes D x z and halts

Qjxji

outputting Contradiction to the hyp othesis that M is a simulator for P V fol

lows

And what ab out parallel comp osition

Unfortunatelywe cannot prove that zeroknowledge even with resp ect to auxiliary input

is preserved under parallel comp osition Furthermore there exist zeroknowledge pro ofs

that when played twice in parallel do yield knowledge to a cheating verier For further

details see Subsection

The fact that zeroknowledge is not preserved under parallel comp osition of proto cols

is indeed bad news One mayeven think that this fact is a conceptually annoying phe

nomenon We disagree with this feeling Our feeling is that the b ehaviour of proto cols

and games under parallel comp osition is in general ie not only in the context of zero

knowledge a much more complex issue than the b ehaviour under sequential comp osition

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

Furthermore the only advantage of parallel comp osition over sequential comp osition is in

eciency Hence we dont consider the nonclosure under parallel comp osition to b e a

conceptual weakness of the formulation of zeroknowledge Yet the nonclosure of zero

knowledge motivates the search for either weaker or stronger notions which are preserved

under parallel comp osition For further details the reader is referred to Sections and

ZeroKnowledge Pro ofs for NP

This section presents the main thrust of the entire chapter namely a metho d for construct

ing zeroknowledge pro ofs for every language in NP The imp ortance of this metho d stems

from its generality which is the key to its many applications Sp ecicallywe observe that

almost all statements one wish to prove in practice can b e enco ded as claims concerning

memb ership in languages in NP

The metho d for constructing zeroknowledge pro ofs for NPlanguages makes essential

use of the concept of bit commitmentHencewe start with a presentation of this concept

CommitmentSchemes

Commitmentschemes are a basic ingredient in many cryptographic proto cols The are used

to enable a party to commit itself to a value while keeping it secret In a latter stage the

commitment is op ened and it is guaranteed that the op ening can yield only a single

value determined in the committing phase Commitmentschemes are the digital analogue

of nontransparent sealed envelop es By putting a note in suchanenvelop e a party commits

itself to the contents of the note while keeping it secret

Denition

Lo osely sp eaking a commitmentscheme is an ecient twophase twoparty proto col through

which one partycalledthesender can commit itself to a value so the following twocon

icting requirements are satised

SecrecyAt the end of the rst phase the other party called the receiverdoesnot

gain any knowledge of the senders value This requirement has to b e satised even if

the receiver tries to cheat

UnambiguityGiven the transcript of the interaction in the rst phase there exists

at most one value which the receiver may later ie in the second phase accept as a

legal op ening of the commitment This requirement has to b e satised even if the

sender tries to cheat

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

In addition one should require that the proto col is viable in the sense that if b oth parties

follow it then at the end of the second phase the receiver gets the value committed to

by the sender The rst phase is called the commit phase and the second phase is called

the reveal phase We are requiring that the commit phase yield no knowledge at least

not of the senders value to the receiver whereas the commit phase do es commit the

sender to a unique value in the sense that in the reveal phase the receiver may accept only

this value We stress that the proto col is ecient in the sense that the predetermined

programs of b oth parties can b e implemented in probabilistic p olynomialtime Without

loss of generality the reveal phase may consist of merely letting the sender send to the

receiver the original value and the sequence of random coin tosses that it has used during

the commit phase The receiver will accept the value if and only if the supplied information

matches its transcript of the interaction in the commit phase The latter convention leads

to the following denition which refers explicitly only to the commit phase

Denition bit commitmentschemeAbit commitment scheme is a pair of prob

abilistic polynomialtime interactive machines denoted S R for sender and receiver

satisfying

Input Sp ecication The common input is an integer n presented in unary serving

as the security parameter The private input to the sender is a bit v

Secrecy The receiver even when deviating arbitrarily from the protocol cannot dis

tinguish a commitment to from a commitment to Namely for every probabilis

tic polynomialtime machine R interacting with S the random variables describing

n n

the output of R in the two cases namely hS R i and hS R i are

polynomial lyindistinguishable

Unambiguity

Preliminaries

A receivers view of an interaction with the sender denoted r mconsists of

the random coins usedbythereceiver r and the sequence of messages received

from the sender m

misa Let f g We say that a receivers view of such interaction r

p ossible commitment if there exists a string s such that m describes the messages

receivedby R when R uses local coins r and interacts with machine S which uses

local coins s and has input Using the notation of Denition the

S s

condition may be expressedas m view

R r

m is ambiguous if it is both a possible We say that the receivers view r

commitment and a possible commitment

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

The unambiguity requirement asserts that for al l but a negligible fraction of the coin

tosses of the receiver there exists no sequence of messages from the sender which

together with these coin tosses forms an ambiguous receiver view Namely that for

polyn

al l but a negligible fraction of the r f g thereisnom such that r m is

ambiguous

The secrecy requirement ab ove is analogous to the denition of indistinguishabi l ity of en

cryptions ie Denition missingencindistdef An equivalent formulation analo

gous to semantic security ie Denition missingencsemantdef can b e presented

but is less useful in typical applications of commitmentschemes In any case the secrecy re

quirement is a computational one On the other hand the unambiguity requirement has an

information theoretic avour ie it do es not refer to computational p owers A dual def

inition requiring information theoretic secrecy and computational unfeasibility of creating

ambiguities is presented in Subsection

The secrecy requirement refers explicitly to the situation at the end of the commit phase

On the other hand we stress that the unambiguity requirement implicitly assumes that the

reveal phase takes the following form

the sender sends to the receiver its initial private input v and the random coins s

it has used in the commit phase

the receiver veries that v and s together with the coins r usedby R in the commit

phase indeed yield the messages that R has received in the commit phase Verication

is done in p olynomialtime by running the programs S and R

Note that the viability requirement ie asserting that if b oth parties follow the proto col

then at the end of the reveal phase the receiver gets v is implicitl y satised by the ab ove

convention

Construction based on anyonewaypermutation

Some publickey encryption scheme can b e used as a commitmentscheme This can b e

done byhaving the sender generate a pair of keys and use the publickey together with the

encryption of a value as its commitment to the value In order to satisfy the unambiguity

requirement the underlying publickey scheme needs to satisfy additional requirements eg

the set of legitimate publickeys should b e eciently recognizable In any case public

key encryption schemes have additional prop erties not required of commitmentschemes

and their existence seems to require stronger intractability assumptions An alternative

construction presented b elow uses any onewaypermutation Sp ecicallywe use a one

way p ermutation denoted f and a hardcore predicate for it denoted b see Section

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Construction simple bit commitment Let f f g f g be a function and

b f g f g bea predicate

commit phase Tocommit to value v f g using security parameter n the sender

uniformly selects s f g and sends the pair f sbs v to the receiver

reveal phase In the reveal phase the sender reveals the string s used in the commit

phase The receiver accepts the value v if f s and bs v where is

the receivers view of the commit phase

f g be a length preserving oneway function Prop osition Let f f g

and b f g f g be a hardcorepredicate of f Then the protocol presentedin

Construction constitutes a bit commitment scheme

Pro of The secrecy requirement follows directly from the fact that b is a hardcore of f

The unambiguity requirement follows from the prop ertyof f In fact there exists no

ambiguous receiver view Namely for each receiver view there is a unique s f g

so that f s and hence a unique v f g so that bs v

Construction based on anyoneway function

Wenow present a construction of a bit commitmentscheme which is based on the weakest

assumption p ossible the existence of oneway function Proving the that the assumption is

indeed minimal is left as an exercise ie Exercise On the other hand by the results in

Chapter sp ecically Theorems and the existence of oneway functions imply

the existence of pseudorandom generators expanding nbit strings into nbit strings We

will use such a pseudorandom generator in the construction presented b elow

We start by motivating the construction Let G b e a pseudorandom generator satisfying

jGsj jsj Assume that G has the prop erty that the sets fGss f g g and

n n

fGs s f g g are disjoint were denote the bitbybit exclusiveor of the

strings and Then the sender may commit itself to the bit v by uniformly selecting

n n k

s f g and sending the message Gs v v denotes the allv s k bit long string

Unfortunately the ab ove assumption cannot b e justied in general and a slightly more

complex variant is required The key observation is that for most strings f g

n n

the sets fGss f g g and fGs s f g g are disjoint Suchastring

is called good This observation suggests the following proto col The receiver uniformly

selects f g hoping that it is go o d and the sender commits to the bit v by uniformly

selecting s f g and sending the message Gsifv and Gs otherwise

Construction bit commitment under general assumptions Let G f g

f g be a function so that jGsj jsj for al l s f g

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

commit phase Toreceive a commitment to a bit using security parameter n the

receiver uniformly selects r f g and sends it to the sender Upon receiving the

message r from the receiver the sender commits to value v f g by uniformly

selecting s f g and sending Gs if v and Gs r otherwise

reveal phase In the reveal phase the sender reveals the string s used in the commit

phase The receiver accepts the value if Gs and the value if Gs r

where r is the receivers view of the commit phase

Prop osition If G is a pseudorandom generator then the protocol presentedinCon

struction constitutes a bit commitment scheme

Pro of The secrecy requirementfollows the fact that G is a pseudorandom generator

Sp ecicallyletU denote the random variable uniformly distributed on strings of length

k Then for every r f g the random variables U and U r are identically dis

n n

tributed Hence if it is feasible to nd an r f g such that GU and GU r

n n

are computationally distinguishable then either U and GU are computationally dis

n n

tinguishable or U r and GU r are computationally distinguishable In either case

n n

contradiction to the pseudorandomness of G follows

Wenow turn to the unambiguity requirement Following the motivating discussion

n n n

we call f g good if the sets fGss f g g and fGs s f g g

are disjoint Wesay that f g yields a col lision between the seeds s and s if

Gs Gs Clearly is go o d if it do es not yield a collision b etween any pair of

seeds On the other hand there is a unique string which yields a collision b etween a

given pair of seeds ie Gs Gs Since there are p ossible pairs of seeds

at most strings yield collisions b etween seeds and all the other nbit long strings are

go o d It follows that with probability at least the receiver selects a go o d string

The unambiguity requirement follows

Extensions

The denition and the constructions of bit commitmentschemes are easily extended to

general commitmentschemes enabling the sender to commit to a string rather than to a

single bit When dening the secrecy of suchschemes the reader is advised to consult

Denition missingencindistdef For the purp oses of the rest of this section we

need a commitmentscheme by which one can commit to a ternary value Extending the

denition and the constructions to deal with this case is even more straightforward

In the rest of this section we will need commitmentschemes with a seemingly stronger

secrecy requirement than dened ab ove Sp ecically instead of requiring secrecy with

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

resp ect to all p olynomialtime machines we will require secrecy with resp ect to all not

necessarily uniform families of p olynomialsize circuits Assuming the existence of non

uniformly oneway functions see Denition in Section commitmentschemes with

nonuniform secrecy can b e constructed following the same constructions used in the uniform

case

ZeroKnowledge pro of of Graph Coloring

Presenting a zeroknowledge pro of system for one NPcomplete language implies the exis

tence of a zeroknowledge pro of system for every language in NP This intuitively app ealing

statement do es require a pro of whichwe p ostp one to a later stage In the current subsec

tion we present a zeroknowledge pro of system for one NPcomplete language sp ecically

Graph ColorabilityThischoice is indeed arbitrary

The language Graph Coloring denoted GC consists of all simple graphs ie no

parallel edges or selflo ops that can b e vertexcolored using colors so that no two adjacent

vertices are given the same color Formally a graph G V E is colorable if there exists

a mapping V f g so that u v forevery u v E

Motivating discussion

The idea underlying the zeroknowledge pro of system for GC is to break the pro of of the

claim that a graph is colorable into p olynomially many pieces arranged in templates so

that each template by itself yields no knowledge and yet all the templates put together

guarantee the validity of the main claim Supp ose that the prover generates such pieces

of information places each of them in a separate sealed and nontransparentenvelop e and

allows the verier to op en and insp ect the pieces participating in one of the templates Then

certainly the verier gains no knowledge in the pro cess yet his condence in the validity

of the claim that the graph is colorable increases A concrete implementation of this

abstract scheme follows

Toprove that the graph G V E is colorable the prover generates a random

coloring of the graph denoted actually a random relab elling of a xed coloring will do

The color of each single vertex constitutes a piece of information concerning the coloring

The set of templates corresp onds to the set of edges ie eachpairuv u v E

constitutes a template to the claim that G is colorable Each single template b eing

merely a random pair of distinct elements in f g yield no knowledge However if all

the templates are OK then the graph must b e colorable Consequently graphs whichare

not colorable must contain at least one bad template and hence are rejected with non

negligible probabilityFollowing is an abstract description of the resulting zeroknowledge

interactive pro of system for GC

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

Common Input A simple graph G V E

Provers rst step Let b e a coloring of G The prover selects a random p er

def

mutation over f g and sets v v for each v V Hence the

prover forms a random relab elling of the coloring The prover sends the verier

a sequence of jV j lo cked and nontransparentboxes so that the v boxcontains the

value v

Veriers rst step The verier uniformly selects an edge u v E and sends it to

the prover

Motivating Remark The verier asks to insp ect the colors of vertices u and v

Provers second step The prover sends to the verier the keys to b oxes u and v

Veriers second step The verier op ens b oxes u and v and accepts if and only if

they contain two dierent elements in f g

Clearly if the input graph is colorable then the prover can cause the verier to accept

always On the other hand if the input graph is not colorable then anycontents placed in

the b oxes must b e invalid on at least one edge and consequently the verier will reject with

probabilityatleastjE j Hence the ab ove proto col exhibits a nonnegligible gap in the

accepting probabilities b etween the case of inputs in GC and inputs not in GC The zero

knowledge prop ertyfollows easily in this abstract setting since one can simulate the real

interaction by placing a random pair of dierent colors in the b oxes indicated by the verier

We stress that this simple argument will not b e p ossible in the digital implementation since

the b oxes are not totally ineected by their contents but are rather eected yet in an

indistinguishabl e manner Finallywe remark that the condence in the validityofthe

claim that the input graph is colorable may b e increased by sequentially applying the

ab ove pro of sucientmany times In fact if the b oxes are p erfect as assumed ab ove then

one can also use parallel rep etitions

The interactive pro of

Wenow turn to the digital implementation of the ab ove abstract proto col In this imple

mentation the b oxes are implemented by a commitmentscheme Namely for eachboxwe

invoke an indep endent execution of the commitmentscheme This will enable us to exe

cute the reveal phase in only some of the commitments a prop erty that is crucial to our

scheme For simplicity of exp osition we use the simple commitmentscheme presented in

Construction or more generallyany oneway interaction commitmentscheme We

denote by C the commitment of the sender using coins s to the ternary value

Construction A zeroknowledge pro of for Graph Coloring

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

def

Common Input A simple colorable graph G V ELet n jV j and V

f ng

Auxiliary Input to the Prover Acoloring of G denoted

Provers rst step P The prover selects a random permutation overf g

def

and sets v v for each v V Theprover uses the commitment scheme

to commit itself to the color of each of the vertices Namely the prover uniformly and

independently selects s s f g computes c C i for each i V and

n i s

sends c c to the verier

Veriers rst step V The verier uniformly selects an edge u v E and sends

it to the prover

Motivating Remark The verier asks to inspect the colors of vertices u and v

Provers second step P Without loss of generality we may assume that the message

received for the verier is an edge denoted u v Otherwise the prover sets u v to

be some predeterminededge of G The prover uses the reveal phase of the commitment

scheme in order to reveal the colors of vertices u and v to the verier Namely the

prover sends s u and s v to the verier

u v

Veriers second step V The verier checks whether the values corresponding to

commitments u and v wererevealedcorrectly and whether these values aredierent

Namely upon receiving s and s the verier checks whether c C

u s

c C and and both in f g If al l conditions hold then the verier

v s

accepts Otherwise it rejects

Let us denote the above provers program by P

We stress that b oth the programs of the verier and of the prover can b e implemented in

probabilistic p olynomialtime In case of the provers program this prop erty is made p ossible

by the use of the auxiliary input to the prover As we will shortly see the ab ove proto col

constitutes a weak interactive pro of for GC As usual the condence can b e increased

ie the error probability can b e decreased by suciently many successive applications

However the mere existence of an interactive pro of for GC is obvious since GC

NP The punchline is that the ab ove proto col is zeroknowledge also with resp ect to

auxiliary input Using the Sequential Comp osition Lemma Lemma it follows that

also p olynomially many sequential applications of this proto col preserve the zeroknowledge

prop erty

Prop osition Suppose that the commitment scheme used in Construction satis

es the nonuniform secrecy and the unambiguity requirements Then Construction

constitutes an auxiliary input zeroknow ledge generalized interactive proof for GC

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

For further discussion of Construction see remarks at the end of the current subsection

Pro of of Prop osition

Werstprove that Construction constitutes a weak interactive pro of for GC Assume

rst that the input graph is indeed colorable Then if the prover follows the program in

the construction then the verier will always accept ie accept with probability On

the other hand if the input graph is not colorable then no matter what the prover

do es the n commitments sent in Step P cannot corresp ond to a coloring of the

graph since such coloring do es not exists We stress that the unique corresp ondence

of commitments to values is guaranteed by the unambiguity prop erty of the commitment

scheme It follows that there mustexistsanedgeu v E so that c and c sent in step

u v

P are not commitments to two dierent elements of f g Hence no matter how

the prover b ehaves the verier will reject with probability at least jE j Hence there is

a nonnegligible in the input length gap b etween the accepting probabilities in case the

input is in GC and in case it is not

Wenow turn to show that P the prover in Construction is indeed zero

knowledge for GC The claim is proven without reference to auxiliary input to the

verier yet extending the argument to auxiliary input zeroknowledge is straightforward

Again we will use the alternative formulation of zeroknowledge ie Denition

and showhowtosimulate V s view of the interaction with P forevery probabilistic

p olynomialtime interactivemachine V As in the case of the Graph Isomorphism pro of

system ie Construction it is quite easy to simulate the veriers view of the in

teraction with P providedthatthe verier follows the sp ecied program However we

need to simulate the view of the verier in the general case in which it uses an arbitrary

p olynomialtime interactive program Following is an overview of our simulation ie of

our construction of a simulator M for an arbitrary V

The simulator M incorp orates the co de of the interactive program V On input a

graph G V E the simulator M not having access to a coloring of G rst uniformly

and indep endently selects n values e e f g and constructs a commitmentto

each of them These e s constitute a pseudocoloring of the graph in which the endp oints

of each edge are colored dierently with probability In doing so the simulator b ehaves

very dierently from P but nevertheless the sequence of commitments so generated is

computationally indistinguishabl e from the sequence of commitments to a valid coloring

sentby P in step P If V when given the commitments generated by the simulator

asks to insp ect an edge u v sothat e e then the simulator can indeed answer correctly

u v

and doing so it completes a simulation of the veriers view of the interaction with P

However if V asks to insp ect an edge u v so that e e then the simulator has no way

u v

to answer correctly and we let it halt with output Westressthatwe dont assume that

the simulator apriori knows which edge the verier V will ask to insp ect The validity

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

of the simulator stems from a dierent source If the veriers request were oblivious of the

provers commitment then with probability the verier would have asked to insp ect an

edge which is prop erly colored Using the secrecy prop erty of the commitmentscheme it

follows that the veriers request is almost oblivious of the values in the commitments

The zeroknowledge claim follows yet with some eort Further detail follow We start

with a detailed description of the simulator

Simulator M On input a graph G V E the simulator M pro ceeds as follows

Setting the random tapeofV Letq denote a p olynomial b ounding the running

q jxj

time of V The simulator M starts by uniformly selecting a string r f g

to b e used as the contents of the lo cal random tap e of V

Simulating the provers rst step P The simulator M uniformly and indep en

dently selects n values e e f g and n random strings s s f g

n n

to b e used for committing to these values The simulator computes for each i V a

commitment d C e

i s i

Simulating the veriers rst step V The simulator M initiates an execution of

V by placing G on V s common input tap e placing r selected in step ab ove

on V s lo cal random tap e and placing the sequence d d constructed in step

ab ove on V s incoming message tap e After executing a p olynomial number

of steps of V the simulator can read the outgoing message of V denoted m Again

we assume without loss of generality that m E and let u v m Actually m E

is treated as in step P in P namelyu v is set to b e some predetermined edge

of G

Simulating the provers second step P If e e then the simulator halts with

u v

output G r d d s e s e

n u u v v

Failure of the simulation Otherwise ie e e the simulator halts with output

u v

Using the hyp othesis that V is p olynomialtime it follows that so is the simulator M

It is left to show that M outputs with probabilityatmost and that conditioned

on not outputting the simulators output is computationally indistinguishable from the

veriers view in a real interaction with P The prop osition will followby running the

ab ovesimulator n times and outputting the rst output dierent from Wenow turn to

prove the ab ovetwo claims

Claim For every suciently large graph G V E the probability that M G

is b ounded ab oveby

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

pro of As ab ove n will denote the cardinality of the vertex set of G Let us denote by

p G r e e the probabilitytaken over all the choices of the s s f g

uv n n

that V on input G random coins r and prover message C e C e replies with

s s n

the message u v We assume for simplicity that V always answers with an edge of G

since otherwise its message is anyhow treated as if it were an edge of G We rst claim

q n

that for every suciently large graph G V E every r f g every edge u v E

and every two sequences f g it holds that

jp G r p G rj

uv uv

jE j

Actuallywe can prove the following

Request Obliviousness SubclaimFor every p olynomial p every suciently large graph

q n

G V Eevery r f g every edge u v E and every two sequences

f g it holds that

jp G r p G rj

uv uv

The Request Obliviousness Sub claim is proven using the nonuniform secrecy of the com

mitmentscheme The reader should b e able to llup the details of such a pro of at this

stage Nevertheless a pro of of the sub claim follows

Proof of the Request Obliviousness Subclaim Assume on the contrary that there

exists a p olynomial p and an innite sequence of integers such that for each

integer n in the sequence there exists an nvertices graph G V E

n n n

q n

a string r f g an edge u v E and two sequences

n n n n n n

f g so that

jp G r p G r j

u v n n n u v n n n

n n n n

We construct a circuit family fA gby letting A incorp orate the interactive

n n

machine V the graph G and r u v all b eing as in the contradic

n n n n n n

tion hyp othesis On input y supp osedly a commitment to either or

n n

circuit A runs V on input G coins r and provers message y and out

n n n

puts if and only if V replies with u v Clearly fA g is a nonuniform

n n n

family of p olynomialsize circuits The key observation is that A distinguishes

commitments to from commitments to since

n n

ProbA C p G r

n U u v n n

n n

where U denotes as usual a random variable uniformly distributed over f g

Contradiction to the nonuniform secrecy of the commitmentscheme follows by

a standard hybrid argument which relates the indistinguishabi li ty of sequences

to the indistinguish abil ity of single commitments

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Returning to the pro of of Claim wenow use the ab ove sub claim to upp er b ound

the probability that the simulator outputs The intuition is simple Since the requests

of V are almost oblivious of the values to which the simulator has committed itself it is

unlikely that V will request to insp ect an illegally colored edge more often than if he would

have made the request without lo oking at the commitment A formal but straightforward

analysis follows

Let M G denote the output of machine M on input G conditioned on the event

that it cho oses the string r in step We remind the reader that M G only in

case the verier on input G random tap e r and a commitment to some pseudocoloring

e e asks to insp ect an edge u v which is illegally colored ie e e Let

n u v

E denote the set of edges u v E that are illegally colored ie satisfy e e

u v

e e

with resp ect to e e Then xing an arbitrary r and considering all p ossible choices

of e e f g

X X

p G r G e ProbM

efg uv E

e denotes the probability that the verier asks to insp ect u v when Recall that p G r

given a sequence of random commitments to the values e Dene B to b e the set of n

n n

tuples e e f g satisfying e e Clearly jB j By straightforward

n u v uv

calculation weget

X X

p G r e G ProbM

uv E

jB j p G r

uv uv

jE j

uv E

p G r

uv E

The claim follows

For simplicitywe assume in the sequel that on common input G GC the prover gets

the lexicographical ly rst coloring of G as auxiliary input This enables us to omit the

auxiliary input to P whichisnow implicit in the common input from the notation

The argument is easily extended to the general case where P gets an arbitrary coloring

of G as auxiliary input

Claim The ensemble consisting of the output of M on input G V E GC

conditioned on it not b eing is computationally indistinguishable from the ensemble

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

Gg Namelyforevery probabilistic p olynomialtime algorithm Aevery fview

GGC

p olynomial p and all suciently large graph G V E

jProbAM G jM G ProbAview G j

pjV j

We stress that these ensembles are very dierent ie the statistical distance b etween them

is very close to the maximum p ossible and yet they are computationally indistinguishable

Actuallywe can prove that these ensembles are indistinguishabl e also by nonuniform

families of p olynomialsize circuits In rst glance it seems that Claim follows easily

from the secrecy prop erty of the commitmentscheme Indeed Claim is proven

using the secrecy prop erty of the commitmentscheme yet the pro of is more complex than

one anticipates at rst glance The diculty lies in the fact that the ab oveensembles

consist not only of commitments to values but also of an op ening of some of the values

Furthermore the choice of which commitments are to b e op ened dep ends on the entire

sequence of commitments

pro of Given a graph G V E we dene for each edge u v E two random variables

describing resp ectively the output of M and the view of V in a real interaction in case

the verier asked to insp ect the edge u v Sp ecically

G describ es M G conditioned on M Gcontaining the reveal information

for vertices u and v

P P

GC GC

G describ es view G conditioned on view Gcontaining the reveal

V V

information for vertices u and v

Let p G denote the probability that M Gcontains reveal information for vertices

u and v conditioned on M G Similarlyletq G denote the probability that

G contains reveal information for vertices u and v view

Assume in the contrary to the claim that the ensembles mentioned in the claim are

computationally distinguishable Then one of the following cases must o ccur

Case There is a noticeable dierence b etween the probabilistic prole of the requests

of V when interacting with PGC and the requests of V when invoked by M

Formally there exists a p olynomial p and an innite sequence of integers such that

for eachinteger n in the sequence there exists an nvertices graph G V E

n n n

and an edge u v E so that

n n n

jp G q G j

u v n u v n

n n n n

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Case An algorithm distinguishing the ab oveensembles do es so also conditioned on

V asking for a particular edge Furthermore this request o ccurs with noticeable

probability which is ab out the same in b oth ensembles Formally there exists a

probabilistic p olynomialtime algorithm A a p olynomial p and an innite sequence

of integers such that for eachinteger n in the sequence there exists an nvertices

graph G V E and an edge u v E so that the following conditions hold

n n n n n n

G q

n u v

n n

jp G q G j

u v n u v n

n n n n

G j G ProbA jProbA

n n u v u v

n n n n

pjV j

Case can b e immediately discarded since it leads easily to contradiction to the non

uniform secrecy of the commitmentscheme The idea is to use the Request Obliviousness

Sub claim app earing in the pro of of Claim Details are omitted Wearethus left with

Case

Wearenow going to show that also Case leads to contradiction To this end we will

construct a circuit family that will distinguish commitments to dierent sequences of values

Interestingly neither of these sequences will equal the sequence of commitments generated

by either the prover or by the simulator Following is an overview of the construction

The n circuit gets a sequence of n commitments and pro duces from it a sequence of n

commitments part of which is a subsequence of the input When the input sequence to the

circuit is taken from one distribution the circuit generates a subsequence corresp onding to

the sequence of commitments generated by the prover Likewise when the input sequence

to the circuit is taken from the other distribution the circuit will generate a subsequence

corresp onding to the sequence of commitments generated by the simulator We stress that

the circuit do es so without knowing from which distribution the input is taken After

generated an nlong sequence the circuit feeds it to V and dep ending on V s b ehaviour

the circuit may feed part of the sequence to algorithm A mentioned in Case Following

is a detailed description of the circuit family

Let us denote by the lexicographically rst coloring of G used by the prover

n n

We construct a circuit family denoted fA gbyletting A incorp orate the interactive

n n

machine V the distinguishing algorithm A the graph G the coloring and the

n n

edge u v all b eing those guaranteed in Case The input to circuit A will b e a sequence

n n n

of commitments to n values eachin f g The circuit will distinguish commitments

n n n

to a uniformly chosen nlong sequence from commitments to the xed sequence

ie the sequence consisting of n values followed by n values followed by n values

Following is a description of the op eration of A

On input y y y where each y is supp osedly a commitment to an elementof

n i

f g the circuit A pro ceeds as follows n

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

A rst selects uniformly a p ermutation over f g and computes i i

n n

for each i V

For each i V fu v g the circuit sets c y ie c y if i

n n n i i i

inni

c y if i and c y if i Note that each y is used at most

i ni i ni j

once and n of the y s are not used at all

u and c C The circuit uniformly selects s s f g and sets c

n v s u v u

n u n

v C

n s

The circuit initiates an execution of V by placing G on V s common input tap e

q n

placing a uniformly selected r f g on V s lo cal random tap e and placing

the sequence c c constructed ab ove on V s incoming message tap e The

circuit reads the outgoing message of V denoted m

If m u v then the circuit outputs

n n

Otherwise ie m u v the circuit invokes algorithm A and outputs

n n

AG r c c s u s v

n n u n v n

n n

Clearly the size of A is p olynomial in nWenowevaluate the distinguishing abilityof

A Let us rst consider the probability that circuit A outputs on input a random com

n n

n n n

mitment to the sequence The reader can easily verify that the sequence c c

constructed by circuit A is distributed identically to the sequence sentby the prover in

step P Hence letting C denote a random commitment to a sequence f g

weget

n n n

ProbA C q G

n u v n

n n

q G ProbA G

u v n u v n

n n n n

On the other hand we consider the probability that circuit A outputs on input a

random commitment to a uniformly chosen nlong sequence over f g The reader can

easily verify that the sequence c c constructed by circuit A is distributed identically

n n

to the sequence d d generated by the simulator in step conditioned on d d

n u v

n n

Letting T denote a random variable uniformly distributed over f g we get

ProbA C T p G

n n u v n

n n

p G ProbA G

u v n u v n

n n n n

Using the conditions of Case and omitting G from the notation we get

n n n

jProbA C ProbA C T j

n n n

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

q jProbA ProbA j jp q j

u v u v u v u v u v

n n n n n n n n n n

pn pn pn

n n n

Hence the circuit family fA g distinguishes commitments to f g from commitments

to fT gCombining an averaging argument with a hybrid argument we conclude that there

exists a p olynomialsize circuit family which distinguishes commitments This contradicts

the nonuniform secrecy of the commitmentscheme

Having reached contradiction in b oth cases Claim

Combining Claims and the zeroknowledge prop ertyofP follows This

completes the pro of of the prop osition

Concluding remarks

Construction has b een presented using a unidirectional commitmentscheme A funda

mental prop ertyofsuchschemes is that their secrecy is preserved also in case p olynomi

ally many instances are invoked simultaneously The pro of of Prop osition indeed to ok

advantage on this prop ertyWe remark that Construction also p ossesses this simulta

neous secrecy prop erty and hence the pro of of Prop osition can b e carried out also if

the commitmentscheme in used is the one of Construction see Exercise We recall

that this latter construction constitutes a commitmentscheme if and only if suchschemes

exist at all since Construction is based on any oneway function and the existence of

oneway functions is implied by the existence of commitmentschemes

Prop osition assumes the existence of a nonuniformly secure commitmentscheme

The pro of of the prop osition makes essential use of the nonuniform securityby incorp o

rating instances on which the zeroknowledge prop erty fails into circuits which contradict

the securityhyp othesis We stress that the sequence of bad instances is not necessar

ily constructible by ecient uniform machines Put in other words the zeroknowledge

requirement has some nonuniform avour A uniform analogue of zeroknow ledge would

require only that it is infeasible to nd instances on whichaverier gains knowledge and

not that such instances do not exist at all Using a uniformly secure commitmentscheme

Construction can b e shown to b e uniformly zeroknowledge

By itself Construction has little practical value since it oers very mo derate accep

tance gap b etween inputs inside and outside of the language Yet rep eating the proto col

on common input G V E for k jE j times and letting the verier accept only if all

iterations are accepting yields an interactive pro of for GC with error probability b ounded

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

by e where e is the natural logarithm base Namely on common input G GC

the verier always accepts whereas on common input G GC the verier accepts with

probability b ounded ab oveby e no matter what the prover do es We stress that by

virtue of the Sequential Comp osition Lemma Lemma if these iterations are p er

formed sequentially then the resulting strong interactive pro of is zeroknowledge as well

Setting k to b e any sup erlogarithmic function of jGj eg k jGj the error probabilityof

the resulting interactive pro of is negligible We remark that it is unlikely that one can prove

an analogous statement with resp ect to the interactive pro of which results by p erforming

these iteration in parallel See Section

An imp ortant prop erty of Construction is that the prescrib ed prover ie P

can b e implemented in probabilistic p olynomialtime provided that it is given as auxiliary

input a coloring of the common input graph As we shall see this prop ertyisessential to

the applications of Construction to the design of cryptographic proto cols

As admitted in the b eginning of the current subsection the choice of GC as a boot

strapping NPcomplete language is totally arbitrary It is quite easy to design analogous

zeroknowledge pro ofs for other p opular NPcomplete languages Such constructions will

use the same underlying ideas as those presentedinthemotivating discussion

The General Result and Some Applications

The theoretical and practical imp ortance of a zeroknowledge pro of for Graph Coloring

eg Construction follows from the fact that it can b e applied to prove in zero

knowledge any statementhaving a short pro of that can b e eciently veried More pre

cisely a zeroknowledge pro of system for a sp ecic NPcomplete language eg Construc

tion can b e used to present zeroknowledge pro of systems for every language in NP

Before presenting zeroknowledge pro of systems for every language in NP let us recall

some conventions and facts concerning NPWe rst recall that every language L NP is

characterized by a binary relation R satisfying the following prop erties

There exists a p olynomial p such that for every x y R it holds jy j pjxj

There exists a p olynomialtime algorithm for deciding memb ership in R

L fx w st x w Rg

Actually each language in NP can b e characterized by innitely many such relations

Yet for each L NP we x and consider one characterizing relation denoted R Sec

ondly since GC is NPcomplete we know that L is p olynomialtime reducible ie Karp

reducible to GC Namely there exists a p olynomialtime computable function f such

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

that x L if and only if f x GC Thirdlywe observe that the standard reduction of

L to GC denoted f has the following additional prop erty

There exists a p olynomialtime computable function denoted g such that for

every x w R it holds that g w is a coloring of f x

L L L

We stress that the ab ove additional prop erty is not required by the standard denition

of a Karpreduction Yet it can b e easily veried that the standard reduction f ie

the comp osition of the generic reduction of L to SAT the standard reductions of SAT to

SAT and the standard reduction of SAT to GC doeshave such a corresp onding g

See Exercise Using these conventions we are ready to reduce the construction of

zeroknowledge pro of for NP to a zeroknowledge pro of system for GC

Construction A zeroknowledge pro of for a language L NP

Common Input A string x supposedly in L

Auxiliary Input to the Prover A witness w for the membership of x L ie a

string w such that x w R

def def

Lo cal precomputation Each party computes G f x The prover computes

g w

Invoking a zeroknowledge pro of for GC The parties invoke a zeroknow ledge proof

on common input GTheprover enters this proof with auxiliary input

Prop osition Suppose that the subprotocol used in the last step of Construction is

indeed an auxiliary input zeroknow ledge proof for GC Then Construction constitutes

an auxiliary input zeroknow ledge proof for L

Pro of The fact that Construction constitutes an interactive pro of for L is immediate

from the validity of the reduction and the fact that it uses an interactive pro of for GC

In rst glance it seems that the zeroknowledge prop erty of Construction follows as

immediately There is however a minor issue that one should not ignore The verier in

the zeroknowledge pro of for GC invoked in Construction p ossesses not only the

common input graph G but also the original common input x whichreducestoG This

extra information mighthave help ed this verier to extract knowledge in the GC interactive

pro of if it were not the case that this pro of system is zeroknowledge also with resp ect to

auxiliary input can b e dealt with using auxiliary input to the verier in Details follow

Supp ose weneedtosimulate the interaction of a machine V with the prover on common

input x Without loss of generalitywemay assume that machine V invokes an interactive

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

machine V whichinteracts with the prover of the GC interactive pro of on common input

G f x and having auxiliary input x Using the hyp othesis that the GC interactive

pro of is auxiliary input zeroknowledge it follows that there exists a simulator M that

on input G xsimulates the interaction of V with the GC prover on common input

G and veriers auxiliary input x Hence the simulator for Construction denoted

def

M op erates as follows On input x the simulator M computes G f x and outputs

M G x The prop osition follows

We remark that an alternativeway of resolving the minor diculty addressed ab oveis

to observe that the function f ie the one induced by the standard reductions can b e

inverted in p olynomialtime see Exercise In anycasewe immediately get

Theorem Suppose that there exists a commitment scheme satisfying the nonuni

form secrecy and the unambiguity requirements Then every language in NP has an aux

iliary input zeroknow ledge proof system Furthermore the prescribedprover in this system

can be implementedinprobabilistic polynomialtime provided it gets the corresponding NP

witness as auxiliary input

We remind the reader that the condition of the theorem is satised if and only if there ex

ists nonuniformly oneway functions See Theorem asserting that oneway functions

imply pseudorandom generators Prop osition asserting that pseudorandom genera

tors imply commitmentschemes and Exercise asserting that commitmentschemes

imply oneway functions

An Example Proving prop erties of secrets

Atypical application of Theorem is to enable one partytoprovesomepropertyof

its secrets without revealing the secrets For concreteness consider a party denoted S

sending encrypted messages over a public channel to various parties denoted R R

and wishing to prove to some other party denoted V that all the corresp onding plaintext

messages are identical Further supp ose that the messages are sent to the receivers ie the

R s using a secure publickey encryption scheme and let E denote the probabilistic

i i

encryption employed when sending a message to R NamelytosendmessageM to R the

i i i

sender uniformly cho oses r f g computes the encryption E r M and transmits it

i i i i

over the public channel In order to prove that C E r Mand C E r Mboth

encrypt the same message it suces to reveal r r and M However doing so reveals the

message M to the verier Instead one can prove in zeroknowledge that there exists r

r and M such that C E r M and C E r M The existence of such a zero

knowledge pro of follows from Theorem and the fact that the statementtobeproven

is of NPtyp e Formallywe dene a language

def

L fC C r r M st C E r Mand C E r Mg

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Clearly the language L is in NP and hence Theorem can b e applied Additional

examples are presented in Exercise

ZeroKnowledge for any language in IP

Interestingly the result of Theorem can b e extended to the maximum in the sense

that under the same conditions every language having an interactive pro of system also has

a zeroknowledge pro of system Namely

Theorem Suppose that there exists a commitment scheme satisfying the nonuni

form secrecy and unambiguity requirements Then every language in IP has a zero

know ledge proof system

We b elieve that this extension do es not havemuch practical signicance Theorem

is proven by rst converting the interactive pro of for L into one in which the verier uses

only public coins ie an ArthurMerlin pro of see Chapter Next the veriers

coin tosses are forced to b e almost unbiased by using a coin tossing proto cols see section

Finally the provers replies are sent using a commitmentscheme At the end

of the interaction the prover proves in zeroknowledge that the original verier would have

accepted the hidden transcript this is an NPstatement

Eciency Considerations

When presenting zeroknowledge pro of systems for every language in NPwe made no

attempt to present the most ecient construction p ossible Our main concern was to

present a pro of which is as simple to explain as p ossible However once weknow that

zeroknowledge pro ofs for NP exist it is natural to ask how ecient can they b e

In order to establish common grounds for comparing zeroknowledge pro ofs wehaveto

sp ecify a desired measure of error probability for these pro ofs An instructivechoice used

in the sequel is to consider the complexity of zeroknowledge pro ofs with error probability

where k is a parameter that may dep end on the length of the common input Another

issue to b ear in mind when comparing zeroknowledge pro of is under what assumptions if

at all are they valid Throughout this entire subsection we stick to the assumption used

so far ie the existence of oneway functions

Standard eciency measures Natural and standard eciency measures to consider are

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ZEROKNOWLEDGE PROOFS FOR NP

The communication complexity of the proof The most imp ortant communication

measure is the round complexity ie the numb er of message exchanges The total

number of bits exchanged in the interaction is also an imp ortant consideration

The computational complexity of the proof Sp ecically the numb er of elementary

steps taken byeach of the parties

Communication complexity seems more imp ortant than computational complexityaslong

as the tradeo b etween them is reasonable

To demonstrate these measures we consider the zeroknowledge pro of for GC presented

in Construction Recall that this pro of system has very mo derate acceptance gap

sp ecically jE j on common input graph G V E So Construction has to b e

applied sequentially k jE j in order to result in a zeroknowledge pro of with error probability

e where e is the natural logarithm base Hence the round complexityofthe

resulting zeroknowledge pro of is O k jE j the bit complexityisO k jE j jV j and the

computational complexityisO k jE jp olyjV j where the p olynomial p oly dep ends on

the commitmentscheme in use

Much more ecient zeroknowledge pro of systems may b e custommade for sp ecic

languages in NPFurthermore even if one adopts the approach of reducing the construction

of zeroknowledge pro of systems for NP languages to the construction of a zeroknowledge

pro of system for a single NPcomplete language eciency improvements can b e achieved

For example using Exercise one can present zeroknowledge pro ofs for the Hamiltonian

Circuit Problem again with error having round complexity O k bit complexity

O k jV j and computational complexity O k jV j where is a constant

dep ending on the desired security of the commitmentscheme in Construction and

in Exercise wechose Note that complexities dep ending on the instance size

are eected by reductions among problems and hence a fair comparison is obtained by

considering the complexities for the generic problem ie Bounded Halting

The round complexity ofaprotocolisavery imp ortant eciency consideration and it

is desirable to reduce it as much as p ossible In particular it is desirable to have zero

knowledge pro ofs with constantnumb er of rounds and negligible error probability This

goal is pursued in Section

Knowledge Tightness a particular eciency measure

The ab ove eciency measures are general in the sense that they are applicable to any

proto col indep endent on whether it is zeroknowledge or not A particular measure of

eciency applicable to zeroknowledge proto cols is their know ledge tightnessIntuitively

knowledge tightness is a renement of zeroknowledge which is aimed at measuring the

actual security of the pro of system Namelyhowmuch harder do es the verier need to

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

work when not interacting with the prover in order to compute something which it can

computes after interacting with the prover Thus knowledge tightness is the ratio b etween

the exp ected runningtime of the simulator and the runningtime of the verierinthe

real interaction simulated by the simulator Note that the simulators presented so far as

well as all known simulator op erate by rep eated random trials and hence an instructive

measure of tightness should consider their exp ected runningtime assuming they never err

ie output the sp ecial symb ol rather than the worst case

Denition knowledge tightness Let t NI NI be a function We say that a zero

know ledge proof for language L has knowledge tightness t if there exists a polynomial p

such that for every probabilistic polynomialtime verier V there exists a simulator M as

in Denition such that for al l suciently long x L we have

Time x pjxj

tjxj

Time x

where Time x denotes the expected runningtime of M on input xandTime x

M V

denotes the running time of V on common input x

We assume a mo del of computation allowing one machine to invoke another machine at

the cost of merely the runningtime of the latter machine The purp ose of p olynomial p

in the ab ove denition is to take care of generic overhead created by the simulation this is

imp ortant in case the verier V is extremely fast We remark that the denition of zero

knowledge do es not guarantee that the knowledge tightness is p olynomial Yet all known

zeroknowledge pro of and more generally all zeroknowledge prop erties demonstrated using

a single simulator with blackb ox access to V have p olynomial knowledge tightness In

particular Construction has knowledge tightness whereas Construction has

knowledge tightness Webelieve that knowledge tightness is a very imp ortant eciency

consideration and that it desirable to have it b e a constant

Negative Results

In this section we review some negative results concerning zeroknowledge These results

can b e viewed as evidence to the b elief that some of the shortcomings of the results and con

structions presented in previous sections are unavoidable Most imp ortantly Theorem

asserts the existence of computational zeroknowledge pro of systems for NP assuming

that oneway functions exist Two natural questions arise

An unconditional result Can one prove the existence of computational zeroknowledge

pro of systems for NP without making any assumptions

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

NEGATIVE RESULTS

Perfect zeroknow ledge Can one present p erfect zeroknowledge pro of systems for

NPeven under some reasonable assumptions

The answer to b oth question seems to b e negative

Another imp ortant question concerning zeroknowledge pro ofs is their preservation un

der parallel comp osition We show that in general zeroknowledge is not preserved under

parallel comp osition ie there exists a pair of zeroknowledge proto cols that when executed

in parallel leak knowledge in a strong sense Furthermore we consider some natural pro of

systems obtained via parallel comp osition of zeroknowledge pro ofs and indicate that it is

unlikely that the resulting comp osed pro ofs can b e proven to b e zeroknowledge

Implausibility of an Unconditional NP in ZK Result

Recall that Theorem asserts the existence of zeroknowledge pro ofs for any languages

in IP provided that nonuniform oneway functions exist In this subsection we consider the

question of whether this sucient condition is also necessary The results known to date

seem to provide some yet weak indication in this direction Sp ecically the existence of

zeroknowledge pro of systems for languages out of BP P implies very weak forms of one

wayness Also the existence of zeroknowledge pro of systems for languages which are hard

to approximate in some average case sense implies the existence of oneway functions but

not of nonuniformly oneway functions In the rest of this subsection we provide precise

statements of the ab ove results

BP P C Z K implies weak forms of onewayness

Denition collection of functions with oneway instances Acol lection of functions

is said to have oneway instances if there exists threeprobabilistic ff D f g g

i i

I i

polynomialtime algorithms I D and F so that the fol lowing two conditions hold

easy to sample and compute as in Denition

some functions are hard to invert For every probabilistic polynomialtime algorithm

A every polynomial p and innitely many is

Prob A f X i f f X

i n i n

where X is a random variable describing the output of algorithm D on input i

Actually since the hardness condition do es not refer to the distribution induced by I we

I f g and algorithm I uniformly selects may assume without loss of generality that

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

a string of length equal to the length of its input Recall that collections of oneway

functions as dened in Denition requires hardness to invert of all but a negligible

measure of the functions f where the probability measure is induced by algorithm I

Theorem If there exist zeroknow ledge proofs for languages outside of BP P then

there exist col lections of functions with oneway instances

We remark that the mere assumption that BP P I P is not known to imply any form of

onewayness The existence of a language in NP whichisnotinBP P implies the existence

of a function which is easy to compute but hard to invert in the worstcase see Section

The latter consequence seems to b e a muchweaker form of onewayness

zeroknowledge pro ofs for hard languages yield oneway functions

Our notion of hard languages is the following

Denition We say that a language L is hard to approximate if there exists a probabilis

tic polynomialtime algorithm S such that for every probabilistic polynomialtime algorithm

A every polynomial p and innitely many ns

ProbAX X

n L n

def

where X S and is the characteristic function of the language L ie x

n L L

if x L and x otherwise

Theorem If there exist zeroknow ledge proofs for languages that arehard to approx

imate then there exist oneway functions

We remark that the mere existence of languages that are hard to approximate even

in a stronger sense bywhich the approximater must fail on all suciently large ns is not

known to imply the existence of oneway functions see Section

ImplausibilityofPerfect ZeroKnowledge pro ofs for all of NP

A theorem b ounding the class of languages p ossessing perfect zeroknowledge pro of systems

follows We start with some background for more details see Section missingeffipsec

By AM we denote the class of languages having an interactive pro of which pro ceeds as fol

lows First the verier sends a random string to the prover next the prover answers with

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

NEGATIVE RESULTS

some string and nally the verier decided whether to accept or reject based on a deter

ministic computation dep ending on the common input and the ab ovetwo strings The

class AM seems to b e a randomized counterpart of NP and it is b elieved that coNP is not

contained in AM Additional supp ort to this b elief is given by the fact that coNP AM

implies the collapse of the PolynomialTime HierarchyInany case it is known that

Theorem The class of languages possessing perfect zeroknow ledge proof systems is

contained in the class coAM In fact these languages arealsoinAM

The theorem remains valid under several relaxations of p erfect zeroknowledge eg

allowing the simulator to run in exp ected p olynomialtime etc Hence if some NP

complete language has a p erfect zeroknowledge pro of system then coNP AM whichis

unlikely

We stress that Theorem does not apply to p erfect zeroknowledge arguments de

ned and discussed in Section Hence there is no conict b etween Theorem and

the fact that under some reasonable complexity assumptions p erfect zeroknowledge argu

ments do exist for every language in NP

ZeroKnowledge and Parallel Comp osition

We discuss two negative results of very dierent conceptual standing The rst result

asserts the failure of the general Parallel Comp osition Conjecture but says nothing ab out

sp ecic natural candidates The second result refers to a class of interactive pro ofs which

contains several interesting and natural examples and assert that the memb ers of this class

cannot b e proven zeroknowledge using a general paradigm knowby the name blackbox

simulation We mention that it is hard to conceive an alternativeway of demonstrating

the zeroknowledge prop erty of proto cols rather than by following this paradigm

Failure of the Parallel Comp osition Conjecture

For some time after zeroknowledge pro ofs were rst intro duced several researchers insisted

that the following must b e true

Parallel Comp osition Conjecture Let P and P be two zeroknow ledge provers Then the

prover resulting by running both of them in paral lel is also zeroknow ledge

Some researchers even considered the failure to prove the Parallel Comp osition Conjecture

as a sign of incomp etence However the Parallel Comp osition Conjecture is just wrong

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Prop osition There exists two provers P and P suchthateach is zeroknow ledge

and yet the prover resulting by running both of them in paral lel yields know ledge eg a

cheating verier may extract from this proverasolutiontoaproblem that is not solvable in

polynomialtime Furthermore the above holds even if the zeroknow ledge property of each

of the P s can be demonstrated using a simulator which uses the verier as a blackbox see

below

We remark that these provers can b e incorp orated into a single prover that randomly selects

which of the two programs to execute Alternatively the choice may b e determined bythe

verier

Pro of idea Consider a prover denoted P that send knowledge to the verier if and

only if the verier can answer some randomly chosen hard question ie we stress that

the question is chosen by P Answers to the hard questions lo ok pseudorandom yet P

which is not computationally b ounded can verify their correctness Now consider a second

prover denoted P that answers these hard questions Each of these provers by itself is

zeroknowledge P is zeroknowledge since it is unlikely that any probabilistic p olynomial

time verier can answer its questions whereas P is zeroknowledge since its answers can

b e simulated by random strings Yet once played in parallel a cheating verier can answer

the question of P by sending it to P and using this answer gain knowledge from P To

turn this idea into a pro of we need to implement a hard problem with the ab ove prop erties

The ab ove prop osition refutes the Parallel Comp osition Conjecture by means of exp onen

tial time provers Assuming the existence of oneway functions the Parallel Comp osition

Conjecture can b e refuted also for probabilistic p olynomialtime provers with auxiliary in

puts For example consider the following two provers P and P which make use of pro ofs

of knowledge see Section Let C b e a bit commitmentscheme whichwe knowto

exist provided that oneway functions exist On commoninput C where f g

prover P proves to the verier in zeroknowledge that it knows To this end the prover

is give as auxiliary input the coins used in the commitment On input C prover P

asks the verier to prove that it knows and if P is convinced then it sends to the veri

er This verier employs the same system of pro ofs of knowledge used by the program P

Clearly each prover is zeroknowledge and yet their parallel comp osition is not Similarly

using stronger intractability assumptions one can refute the Parallel Comp osition Conjec

ture also with resp ect to p erfect zeroknowledge rather than with resp ect to computational

zeroknowledge

Problems with natural candidates

By denition to show that a prover is zeroknowledge one has to present for each prosp ec

tiveverier V a corresp onding simulator M which simulates the interaction of V with

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

NEGATIVE RESULTS

the prover However all known demonstrations of zeroknowledge pro ceed by presenting

one universal simulator whichusesany prosp ectiveverier V as a blackb ox In fact

these demonstrations use as blackb ox or oracle the next message function determined

by the verier program ie V its auxiliaryinput and its randominput This prop erty

of the simulators is implicit in our constructions of the simulators in previous sections We

remark that it is hard to conceive an alternativeway of demonstrating the zeroknowledge

prop erty

Denition blackb ox zeroknowledge

next message function Let B beaninteractive turing machine and x z r be strings

representing a commoninput auxiliaryinput and randominput respectively Con

sider the function B describing the messages sent by machine B such that

xz r

m denotes the message sent by B on commoninput x auxiliaryinput z B

xz r

mFor simplicity we assume randominput r andsequenceofincoming messages

that the output of B appears as its last message

blackb ox simulator We say that a probabilistic polynomialtime oracle machine M is

a blackb ox simulator for the prover P and the language L if for every polynomialtime

interactive machine B every probabilistic polynomialtime oracle machine D every

polynomial p al l suciently large x L and every z r f g

B B B

xz r xz r xz r

jProb D hP B z ix Prob D M x j

pjxj

where B z denotes the interaction of machine B with auxiliaryinput z and random

input r

We say that P is blackb oxzeroknowledge if it has a blackbox simulator

Essentially the denition says that a blackb oxsimulator mimics the interaction of

prover P with any p olynomialtime verier B relativetoany auxiliaryinput ie z that

B may get and any randominput ie r that B maycho ose The simulator do es so ef

ciently merely by using oracle calls to B which sp ecies the next message that B

xz r

sends on input x auxiliaryinput z and randominput r The simulation is indistinguish

able from the true interaction even if the distinguishing algorithm ie D is given access

to the oracle B An equivalent formulation is presented in Exercise ClearlyifP

xz r

is blackb ox zeroknowledge then it is zeroknowledge with resp ect to auxiliary input and

has p olynomially b ounded knowledge tightness see Denition

Theorem Suppose that P V is an interactive proof system with negligible error

probability for the language LFurther suppose that P V has the fol lowing properties

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

constant roundThere exists an integer k such that for every x L on input x the

prover P sends at most k messages

public coins The messages sent by the verier V arepredeterminedconsecutive seg

ments of its random tape

blackb ox zeroknowledge The prover P has a blackbox simulator over the language

Then L BPP

We remark that b oth Construction zeroknowledge pro of for Graph Isomorphism

and Construction zeroknowledge pro of for Graph Coloring are constant round use

public coins and are blackb ox zeroknowledge for the corresp onding languages However

they do not have negligible error probability Yet rep eating each of these constructions

p olynomially many times in paral lel yields an interactive pro of with negligible error prob

ability for the corresp onding language Clearly the resulting pro of system are constant

round and use public coins Hence unless the corresp onding languages are in BP P these

parallelized pro of systems arenotblackb ox zeroknowledge

Theorem is sometimes interpreted as p ointing to an inherent limitation of interactive

pro ofs with public coins also known as Arthur Merlin games see Section missingeffipsec

Such pro ofs cannot b e b oth roundecient ie have constantnumb er of rounds and negli

gible error and blackb ox zeroknowledge unless they are trivially so ie the language is

in BP P In other words when constructing roundecient zeroknow ledge proof systems

for languages not in BP P one is advised to use private coins ie to let the verier

send messages dep ending up on but not revealing its coin tosses

Witness Indistinguishability and Hiding

In light of the nonclosure of zeroknowledge under parallel comp osition see Subsection

alternative privacy criteria that are preserved under parallel comp osition are of practical

and theoretical imp ortance Two notions called witness indistinguishabil ity and witness

hiding which refer to the privacy of interactive pro of systems of languages in NP are

presented in this section Both notions seem weaker than zeroknowledge yet they suce

for some sp ecic applications

Denitions

In this section we conne ourself to languages in NPRecallthatawitness relation for a

language L NP is a binary relation R that is p olynomiallyb ounded ie x y R

L L

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

WITNESS INDISTINGUISHABILITY AND HIDING

implies jy j p oly jxj p olynomialtime recognizable and characterizes L by

L fx y st x y R g

Witness indistinguishabili ty

Lo osely sp eaking an interactive pro of for a language L NP is witness independent resp

witness indistinguishable if the veriers view of the interaction with the prover is statis

tically indep endent resp computationally indep endent of the auxiliary input of the

prover Actuallywe will relax the requirement so that it applies only to the case in which

the auxiliary input constitutes an NPwitness to the common input namelyletR b e the

witness relation of the language L and supp ose that x Lthenwe consider only auxiliary

def

inputs in R x fy x y R gBysaying that the view is computational indep endent

L L

of the witness we mean that for every twochoices of auxiliary inputs the resulting views

are computationally indistinguishable In the actual denition wecombine notations and

conventions from Denitions and

Denition witness indistinguish abil ity indep endence Let P V L NP and

V be as in Denition and let R be a xed witness relation for the language LWe

P y

denote by view x arandom variable describing the contents of the randomtapeof

V z

V and the messages V receives from P during a joint computation on common input x

when P has auxiliary input y and V has auxiliary input z We say that P V is witness

indistinguishable for R if for every probabilistic polynomialtime interactive machine V

and every two sequences W fw g and W fw g sothat w w R xthe

xL xL L

x x x x

fol lowing two ensembles arecomputational ly indistinguishable

P w

xg fx view

xLz fg

V z

P w

fx view xg

xLz fg

V z

Namely for every probabilistic polynomialtime algorithm D every polynomial pall

suciently long x L and al l z f g it holds that

P w P w

x x

x j x ProbD x view jProbD x view

V z V z

pjxj

We say that P V is witness indep enden t if the above ensembles are identical ly distributed

Rx and z f g therandom variables w Namely for every x L every w

x x

P w P w

x x

x are identical ly distributed x and view view

V z V z

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

A few remarks are in place First one may observe that any pro of system in whichthe

prover ignores its auxiliaryinput is trivially witness indep endent In particular exp onential

time provers may without loss of generality ignore their auxiliaryinput without any de

crease in the probability that they convince the verier Yet probabilistic p olynomialtime

provers can not aord to ignore their auxiliary input since otherwise they b ecome useless

Hence for probabilistic p olynomialtime provers for languages outside BP P witness indis

tinguishability is nontrivial Secondly one can easily show that any zeroknowledge pro of

system for a language in NP is witness indistinguishabl e since the view corresp onding to

each witness can b e approximated by the same simulator Likewise p erfect zeroknowledge

pro ofs are witness indep endent Finally it is relatively easy to see that witness indistin

guishability and witness indep endence are preserved under sequential comp osition In the

next subsection we show that they are also preserved under parallel comp osition

Witness hiding

Wenow turn to the notion of witness hiding Intuitively a pro of system for a language in

NP is witness hiding if after interacting with the prover it is still infeasible for the verier

to nd an NP witness for the common input Clearlysuch a requirement can hold only

if it is infeasible to nd witnesses from scratch Since each NP language has instances

for which witness nding is easywemust consider the task of witness nding for sp ecially

selected hard instances This leads to the following denitions

Denition distribution of hard instances Let L NP and R be a witness relation

def

for LLet X fX g bea probability ensemble so that X assign nonzeroprobability

n n

nNI

mass only to strings in L f g We say that X is hard for R if for every probabilistic

polynomialtime witness nding algorithm F every polynomial p al l suciently large

polyn

ns and al l z f g

ProbF X z R X

n L n

Denition witness hiding Let P V L NP and R beasintheabove deni

tions

Let X fX g beahard instance ensemble for R We say that P V is witness

n L

nNI

hiding for the relation R under the instance ensemble X if for every probabilistic

polynomialtime machine V every polynomial p and al l suciently large ns and

al l z f g

ProbhP Y V z iX R X

n n L n

where Y is arbitrarily distributed over R X

n L n

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

WITNESS INDISTINGUISHABILITY AND HIDING

We say that P V is universal witness hiding for the relation R if the proof system

P V is witness hiding for R under every ensemble of hard instances for R that

L L

is eciently constructible see Denition

We remark that the relation b etween the two privacy criteria ie witness indistin

guishable and witness hiding is not obvious Yet zeroknowledge pro ofs for NP are also

universal witness hiding for any corresp onding witness relation We remark that witness

indistinguishabi li ty and witness hiding similarly to zeroknowledge are prop erties of the

prover and more generally of a anyinteractivemachine

Parallel Comp osition

In contrary to zeroknowledge pro of systems witness indistinguish able pro ofs oer some

robustness under parallel comp osition Sp ecically parallel comp osition of witness indis

tinguishable pro of systems results in a witness indistinguishabl e system providedthatthe

original prover is probabilistic polynomialtime

Lemma Parallel Comp osition Lemma Let L NP and R beasinDeni

tion and suppose that P is probabilistic polynomialtime and P V is witness indis

tinguishable resp witness indep endent for R Let Q bea polynomial and P denote

L Q

aprogram that on commoninput x x f g and auxiliaryinput w w

Qn Qn

f g invokes P in paral lel Qn times so that in the i copy P is invokedoncommon

input x and auxiliaryinput w Then P is witness indistinguishable resp witness inde

i i Q

p endent for

def

R f x w i x w R g

i i L

x x x andw w w so that m Qn and jx j n for each i where

m m i

Pro of Sketch Both the computational and information theoretic versions followbya

hybrid argument We concentrate on the computational version Toavoid cumb ersome

notation we consider a generic n for which the claim of the lemma fails By contradiction

there must b e innitely many such ns and a precise argument will actually handle all these

it is feasible to distin ns together Namely supp ose that by using a verier program V

guish the witnesses w w w andw w w used by P inaninteraction

m m

distinguishes also the hybrid on commoninput x L Then for some i the program V

i i

w w and Rewrite w w h w h w w w witnesses

m m

i i i i

i i

h w w w w w and h w w w w w We derive

i i m i i m

i i

a contradiction by constructing a verier V that distinguishes the witnesses used by P

in interactions with the original prover P Details follow

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

The program V incorp orates the programs P and V and pro ceeds byinteracting

with the prover P in parallel to simulating m other interactions with P The real

interaction with P is viewed as the i copyinaninteraction of V whereas the simulated

interactions are asso ciated with the other copies Sp ecicall y in addition to the common

i i

x h and h as part of input xmachine V gets the appropriate i and the sequences

its auxiliary input For each j i machine V will use x as commoninput and w as

j j

the auxiliaryinput to the j copyofP Machine V invokes V on common input x and

provides it with an interface to a virtual interaction with P Thei comp onentofa

sentby V is forwarded to the prover P and all other comp onents message

are kept for the simulation of the other copies When P answers with a message machine

V computes the answers of the other copies of P by feeding the program P with the

corresp onding auxiliaryinput and the corresp onding sequence of incoming messages It

follows that V can distinguish the case P uses the witness w from the case P uses w

i i

Constructions

In this subsection we present constructions of witness indistinguishable and witness hiding

pro of systems

Constructions of witness indistinguishable pro ofs

Using the Parallel Comp osition Lemma and the observation that zeroknowledge pro ofs are

witness indistinguishable wederive the following

Theorem Assuming the existence of nonuniformly oneway functions every lan

guage in NP has a constantround witness indistinguishable proof system with negligible

errorprobability In fact the error probability can bemadeexponential ly smal l

We remark that no such result is known for zeroknowledge pro of system Namelythe

known pro of systems for NP are either

not constantround eg Construction or

have nonnegligible error probability eg Construction or

require stronger intractability assumptions see Subsection or

are only computationally sound see Subsection

Similarlywe can derive a constantround witness indep endent pro of system with exp onen

tially small error probability for Graph Isomorphism Again no analogous result is known

for p erfect zeroknowledge pro ofs

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

WITNESS INDISTINGUISHABILITY AND HIDING

Constructions of witness hiding pro ofs

Witness indistinguishabl e pro of systems are not necessarily witness hiding For example

any language with unique witnesses has a pro of system which yields the unique witness

and yet is trivially witness indep endent On the other hand for some relations witness

indistinguishabi li ty implies witness hiding For example

i f Prop osition Let ff I g beacol lection of nonuniform clawfree functions

i i

and let

def

R fx w w r x i x x f r g

Then if a machine P is witness indistinguishable for R then it is also witness hiding for R

under the distribution generated by setting i I and x f D iwhere I and D

are as in Denition

By a collection of nonuniform clawfree functions we mean that even nonuniform families

of circuits fC g fail to form claws on input distribution I except with negligible prob

abilityWe remark that the ab ove prop osition do es not relate to the purp ose of interacting

with P eg whether P is proving memb ership in a language knowledge of a witness and

so on The prop osition is proven bycontradiction Details follow

Supp ose that an interactive machine V nds witnesses after interacting with P By

the witness indistinguishabi li tyofP it follows that V is p erforming as well regardless on

whether the witness is of the form or Combining the programs V and P with

algorithm D wederive a claw forming algorithm and hence contradiction Sp ecicallythe

I uniformly selects f g randomly generates clawforming algorithm on input i

r D i computes x i f r and simulates an interaction of V with P on common

input x and auxiliaryinput rto P Ifmachine V outputs a witness w Rx then

with probability approximately wehave w r and a claw is formed since

f r f r

Furthermore every NP relation can b e slightly mo died so that for the mo died re

lation witness indistinguishabil ity implies witness hiding Given a relation R the mo died

relation denoted R is dened by

def

R fx x w jx j jx ji st x w Rg

Namely w is a witness under R for the instance x x if and only if w is a witness under

R for either x or x

Prop osition Let R and R beasabove If a machine P is witness indistinguishable

for R then it is also witness hiding for R under every distribution of hard instances induced

seebelow by an ecient algorithm that randomly selects pairs in R

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Let S b e a probabilistic p olynomialtime algorithm that on input outputs x w R so

that jxj nLetX denotes the distribution induced on the rst element in the output

of S The prop osition asserts that if P is witness indistinguish able and fX g an

nNI

ensemble of hard instances for R then P is witness hiding under the ensemble f X g

nNI

X consists of two indep endent copies of X This assertion is proven by contradic where

n n

tion Supp ose that an interactivemachine V nds witnesses after interacting with P By

the witness indistinguishabi li tyofP it follows that V is p erforming as well regardless on

whether the witness w for x x satises either x w R or x w R Combining

the programs V and P with algorithm S wederive a algorithm denoted F that nds

witnesses for R under the distribution X On input x L algorithm F generates at

jxj

random x w S and sets and x x x with probability x x x otherwise

Algorithm F simulates an interaction of V with P on commoninput x and auxiliary

input w to P and when V outputs a witness w algorithm F checks whether x w R

The reader can easily verier that algorithm F p erforms well under the instance ensemble

fX g hence contradicting the hyp othesis that X is hard for R

n n

Applications

Applications for the notions presented in this section are scattered in various places in the

b o ok In particular witnessindistinguishabl e pro of systems are used in the construction

of constantround arguments for NP see Subsection witness indep endent pro of

systems are used in the zeroknowledge pro of for Graph NonIsomorphism see Section

and witness hiding pro of systems are used for the ecient identication scheme based on

factoring in Section

Pro ofs of Knowledge

This section addresses the concept of pro ofs of knowledge Lo osely sp eaking these are

pro ofs in which the prover asserts knowledge of some ob ject eg a coloring of a graph

and not merely its existence eg the existence of a coloring of the graph which in turn

imply that the graph is in the language GC But what is meantbysaying that a machine

knows something Indeed the main thrust of this section is in addressing this question

Before doing so we p oint out that pro ofs of knowledge and in particular zeroknowledge

pro ofs of knowledge havemany applications to the design of cryptographic schemes and

cryptographic proto cols Some of these applications are discussed in a sp ecial subsection Of

sp ecial interest is the application to identication schemes which is discussed in a separate subsection

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

PROOFS OF KNOWLEDGE

Denition

We start with a motivating discussion

What do es it mean to say that a machine knows something Any standard

dictionary suggests several meanings to the verb know and most meanings are

phrased with reference to awareness We however must lo ok for a b ehavior

istic interpretation of the verb Indeed it is reasonable to link knowledge with

ability to do something b e it at the least the ability to write down whatever one

knows Hence wewillsay that a machine knows a string if it can output the

string This seems as total nonsense A machine has a well dened output

either the output equals or it do es not So what can b e meantbysaying that

amachine can do something Lo osely sp eaking it means that the machine can

b e mo died so that it do es whatever is claimed More precisely it means that

there exists an ecient machine which using the original machine as oracle

outputs whatever is claimed

So far for dening the knowledge of machines Yet whateveramachine knows or do es

not knowisitsown business What can b e of interest to the outside is the question of

what can b e deduced ab out the knowledge of a machine after interacting with it Hence

weareinterested in pro ofs of knowledge rather than in mere knowledge

For sake of simplicity let us consider a concrete question howcanamachine prove that

it knows a coloring of a graph An obvious way is just to send the coloring to the verier

Yet we claim that applying Construction ie the zeroknowledge pro of system for

GC suciently many times results in an alternativeway of proving knowledge of a

coloring of the graph Lo osely sp eaking wesaythataninteractivemachine V constitutes

a verier for know ledge of coloring if the probability that the verier is convinced bya

machine P to accept the graph G is inversely prop ortional to the diculty of extracting a

coloring of G when using machine P as a blackbox Namely the extraction of the

coloring is done by an oracle machine called an extractor that is given access to a function

sp ecifying the messages sentby P in resp onse to particular messages that P receives The

exp ected running time of the extractor on input G and access to an oracle sp ecifying

P s messages is inversely related by a factor p olynomial in jGj to the probability that P

convinces V to accept GIncaseP always convinces V to accept G the extractor runs

in exp ected p olynomialtime The same holds in case P convinces V to accept with non

negligible probabilityWe stress that the latter sp ecial cases do not suce for a satisfactory

denition

Preliminaries

def def

Let R f g f g b e a binary relation Then Rx fs x s Rg and L

fx s st x s RgIfx s R then we call s a solution for xWesay that R is

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

polynomial ly bounded if there exists a p olynomial p such that jsj pjxj for all x s R

Wesay that R is an NP relation if R is p olynomially b ounded and in addition there exists

a p olynomialtime algorithm for deciding memb ership in R ie L NP In the sequel

we conne ourselves to p olynomially b ounded relations

We wish to b e able to consider in a uniform manner all p otential provers without making

distinction based on their runningtime internal structure etc Yet we observe that these

interactivemachine can b e given an auxiliaryinput which enables them to know and to

prove more Likewise they may b e luck to select a randominput which enables more than

another Hence statements concerning the knowledge of the prover refer not only to the

provers program but also to the sp ecic auxiliary and random inputs it has Hence wex

an interactive machine and all inputs ie the commoninput the auxiliaryinput and the

randominput to this machine and consider b oth the corresp onding accepting probability

of the verier and the usage of this proverinputs template as an oracle to a knowledge

extractor This motivates the following denition

m the message sent Denition message sp ecication function Denote by P

xy r

by machine P on commoninput x auxiliaryinput y andrandom input r after receiving

messages m The function P is cal led the message sp ecication function of machine P

xy r

with commoninput x auxiliaryinput y and random input r

An oracle machine with access to the function P will represent the knowledge of machine

xy r

P on commoninput x auxiliaryinput y and random input r This oracle machine called

the knowledge extractor will try to nd a solution to x ie an s Rx The running

time of the extractor is inversely related to the corresp onding accepting probability of the

verier

Knowledge veriers

Now that all the machinery is readywe present the denition of a system for pro ofs of

knowledge Actually the denition presented b elow is a generalization to b e motivated

by the subsequent applications At rst reading the reader may set the function to b e

identically zero

Denition System of pro ofs of knowledge Let R be a binary relation and NI

We say that an interactive function V is a knowledge verier for the relation R with

knowledge error if the fol lowing two conditions hold

Nontriviality There exists an interactive machine P so that for every x y R

al l possible interactions of V with P on commoninput x and auxiliaryinput y are

accepting

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

PROOFS OF KNOWLEDGE

Validity with error There exists a polynomial q and a probabilistic oracle

machine K such that for every interactive function P every x L and every

y r f g machine K satises the fol lowing condition

Denote by px the probability that the interactive machine V accepts on

input x when interacting with the prover speciedby P Thenifpx

xy r

jxj then on input x and access to oracle P machine K outputs a

xy r

solution s Rx within an expected number of steps boundedby

q jxj

px jxj

The oracle machine K is cal leda universal knowledge extractor

When is identical ly zero we just say that V is a knowledge verier for the relation

RAn interactive pair P V so that V is a know ledge verier for a relation R and P is a

machine satisfying the nontriviality condition with respect to V and Riscal leda system

forpro ofs of knowledge for the relation R

Observations

The zeroknowledge pro of systems for Graph Isomorphism ie Construction and

for Graph Coloring ie Construction are in fact pro ofs of knowledge with some

knowledge error for the corresp onding languages Sp ecically Construction is a pro of

of knowledge of an isomorphism with knowledge error whereas Construction is a

pro of of knowledge of a coloring with knowledge error on common input G

jE j

V E By iterating each construction suciently many times we can get the knowledge

error to b e exp onentially small The pro ofs of all these claims are left as an exercise In

fact we get a pro of of knowledge with zero error since

Prop osition Let R beanNPrelation and q beapolynomial such that x y R

implies jy j q jxjSuppose that P V is a system for proofs of know ledge for the relation

def

q n

R with know ledge error n ThenP V is a system for proofs of know ledge

for the relation R with zero know ledge error

Pro of Sketch Given a knowledge extractor K substantiating the hyp othesis wecon

struct a new knowledge extractor which runs K in parallel to conducting an exhaustive

search for a solution Let px b e as in Denition Toevaluate the p erformance of the

new extractor consider two cases

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Case px jxj In this case we use the fact

px jxj px

Case px jxj In this case we use the fact that exhaustive search of a solution

q jxj q jxj

b oils down to trials whereas

It follows that

Theorem Assuming the existence of nonuniformly oneway function every NP re

lation has a zeroknow ledge system for proofs of know ledge

Applications

We briey review some of the applications for zeroknowledge pro ofs of knowledge Typ

ically zeroknowledge pro ofs of knowledge are used for mutual disclosure of the same

information Supp ose that Alice and Bob b oth claim that they know something eg a

coloring of a common input but are each doubtful of the other p ersons claim Employ

ing a zeroknowledge pro of of knowledge in b oth direction is indeed a conceptually simple

solution to the problem of convincing each other of their knowledge

Nonoblivious commitmentschemes

When using a commitmentscheme the receiver is guaranteed that after the commit phase

the sender is committed to at most one value in the sense that it can later reveal only

this value Yet the receiver is not guaranteed that the sender knows to what value it

is committed Such a guarantee may b e useful in many settings and can b e obtained by

using pro of of knowledge For more details see Subsection

Chosen message attacks

An obvious way of protecting against chosen message attacks on a publickey encryption

scheme is to augment the ciphertext by a zeroknowledge pro of of knowledge of the cleartext

For denition and alternative constructions of suchschemes see Section missingencstrongsec

However one should note that the resulting encryption scheme employs bidirectional com

munication b etween the sender and the receiver of the encrypted message It seems

that the use of noninteractive zeroknowledge pro ofs of knowledge would yield unidirec

tional publickey encryption schemes Such claims have b een made yet no pro of has

ever app eared and we refrain from expressing an opinion on the issue Noninteractive

zeroknowledge pro ofs are discussed in Section

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

PROOFS OF KNOWLEDGE

A zeroknowledge pro of system for GNI

The interactive pro of of Graph NonIsomorphism GN I presented in Construction is

not zeroknowledge unless GN I BPP A cheating verier may construct a graph H

and learn whether it is isomorphic to the rst input graph by sending H as query to the

prover A more app ealing refutation can b e presented to the claim that Construction

is auxiliaryinput zeroknowledge eg the verier can check whether its auxiliaryinput is

isomorphic to one of the commoninput graphs We observehowever that Construction

would have b een zeroknowledge if the verier always knew the answer to its queries as

is the case for the honest verier The idea then is to have the verier provetothe

prover that he ie the verier knows the answer to the query ie an isomorphism to the

appropriate input graph and the prover answers the query only if it is convinced of this

claim Certainly the veriers pro of of knowledge should not yield the answer otherwise the

prover can use this information in order to cheat thus foiling the soundness requirement

If the veriers pro of of knowledge is zeroknowledge then certainly it do es not yield the

answer In fact it suces that the veriers pro of of knowledge is witnessindependent see

Section

Pro ofs of Identity Identication schemes

Identication schemes are useful in large distributed systems in which the users are not

acquainted with one another A typical everyday example is the consumerretailer situa

tion In computer systems a typical example is electronic mail in communication networks

containing sites allowing to o lo ose lo cal sup eruser access In b etween in technological so

phistication are the Automatic Teller Machine ATM system In these distributed systems

one wishes to allow users to b e able to authenticate themselves to other users This goal

is achieved by identication schemes dened b elow In the sequel we shall also see that

identication schemes are intimately related to pro ofs of knowledge We just hint that a

p ersons identity can b e linked to his ability to do something and in particular to his ability

to prove knowledge of some sort

Denition

Lo osely sp eaking an identication scheme consists of a public le containing records for

each user and an identication protocolEach record consists of the name or identity of

a user and auxiliary identication information to b e used when invoking the identication

proto col as discussed b elow The public le is established and maintained by a trusted

party whichvouches for the authenticity of the records ie that each record has b een

submitted by the user the name of which is sp ecied in it All users have read access to

the public le at all times Alternatively the trusted party can supply each user with a

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

signed copy of its public record Supp ose now that Alice wishes to provetoBob that it is

indeed her communicating with him To this end Alice invokes the identication proto col

with the public le record corresp onding to her name as a parameter Bob veries that the

parameter in use indeed matches Alices public record and pro ceeds executing his role in

the proto col It is required that Alice will always b e able to convince Bob that she is indeed

Alice whereas nob o dy else can fo ol Bob into b elieving that shehe is AliceFurthermore

Carol should not b e able to imp ersonate as Alice even after receiving p olynomially many

pro ofs of identity from Alice

Clearly if the identication information is to b e of any use then Alice must keep in

secret the random coins she has used to generate her record Furthermore Alice must use

these stored coins during the execution of the identication proto col but this must b e done

in a way whichdoesnotallow her counterparts to later imp ersonate her

Conventions In the following denition we adopt the formalism and notations of interac

tivemachines with auxiliary input presented in Denition We recall that when M

is an interactivemachine we denote by M y the machine which results by xing y to b e

the auxiliary input of machine M In the following denition n is the security parameter

and we assume with little loss of generality that the names ie identities of the users are

enco ded by strings of length nIfA is a probabilistic algorithm and x r f g then

A x denotes the output of algorithm A on input x and random coins r

Remark In rst reading the reader may ignore algorithm A and the random variable T

in the security condition Doing so however yields a weaker condition that is typically

unsatisfactory

Denition identication scheme An identication scheme consists of a pair I

where I is a probabilistic polynomial time algorithm and P V isapairofprobabilistic

polynomialtime interactive machines satisfying the fol lowing conditions

n polyn

Viability For every n NI every f g and every s f g

Prob hP sV i I

Security For every pair of probabilistic polynomialtime interactive machines A and

B every polynomial p al l suciently large n NI every f g and every z

Prob hB z T V i I

n S

polyn

where S isarandom variable uniformly distributed over f g andT is a

n n

random variable describing the output of Az after interacting with P S on common

input forpolynomial ly many times

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

PROOFS OF KNOWLEDGE

Algorithm I is cal ledthe information generating algorithm and the pair P V is cal ledthe

identication proto col

Hence to use the identication scheme a user say Alicetheidentity of whichis

def

enco ded by the string should rst uniformly select a secret string s compute i I

ask the trusted party to place the record i in the public le and store the string s in

a safe place The viability condition asserts that Alice can convince Bob of her identity

by executing the identication Alice invokes the program P using the stored string s as

auxiliary input and Bob uses the program V and makes sure that the common input is the

public record containing which is in the public le Ignoring for a moment algorithm

A and the random variable T the security condition yields that it is infeasible for a party

to imp ersonate Alice if all this party has is the public record of Alice and some unrelated

auxiliary input However such a security condition may not suce in many applications

since a user wishing to imp ersonate Alice may ask her rst to prover her identity to himher

The full security condition asserts that even if Alice has proven her identitytoCarol

many times in the past still it is infeasible for Carol to imp ersonate AliceWe stress that

Carol cannot imp ersonate Alice to Bob provided that she cannot interact concurrently

with b oth In case this condition do es not hold then nothing is guaranteed and indeed

Carol can easily cheat by referring Bobs questions to Alice and answering as Alice do es

Identication schemes and pro ofs of knowledge

A natural way of establishing a p ersons identity is to ask himher to supply a pro of of

knowledge of a fact that this p erson is supp osed to know Let us consider a sp ecic and

in fact quite generic example

Construction identication scheme based on a oneway function Let f be a func

tion On input an identity f g the information generating algorithm uniformly

selects a string s f g and outputs f s The pair f s is the public record for

the user with name Theidentication proto col consists of a proof of know ledge of the

inverse of the second element in the public record Namely in order to prove its identity

user proves that he knows a string s so that f sr where r is a record in the public

le The proof of know ledge in usedisallowedtohavenegligible know ledge error

Prop osition If f is a oneway function and the proof of know ledge in use is zero

know ledge then Construction constitutes an identication scheme

Hence identication schemes exist if oneway functions exist More ecient identica

tion schemes can b e constructed based on sp ecic intractability assumptions For example

assuming the intractability of factoring the so called FiatShamir identication scheme

which is actually a pro of of knowledge of a square ro ot follows

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Construction the FiatShamir identication scheme On input an identity

f g theinformation generating algorithm uniformly selects a composite number N

which is the product of two nbit long primes a residue s mod N and outputs the pair

N s mo d N The pair N s mo d N is the public record for user Theiden

tication proto col consists of a proof of know ledge of the corresponding modular square

root Namely in order to prove its identity user proves that he knows a squareroot of

def

r s mo d N where rN is a record in the public le Again negligible know ledge

error is al lowed

The pro of of knowledge of square ro ot is analogous to the pro of system for Graph

Isomorphism presented in Construction Namely in order to prove knowledge of a

square ro ot of r s mo d N the prover rep eats the following steps suciently many

times

Construction atomic pro of of knowledge of square ro ot

def

The prover randomly selects a residue q modulo N and send t q mo d N to the

verier

The verier uniformly selects f g and sends it to the prover

Motivation in case the verier asks for a squareroot of t mo d N whereas in

case the verier asks for a squareroot of t r mo d N In the sequel we assume

without loss of generality that f g

def

The prover replies with p q s mo d N

The verier accepts this time if and only if the messages t and p sent by the prover

satises p t r mo d N

When Construction is rep eated k times either sequentially or in parallel the result

ing proto col constitutes a pro of of knowledge of mo dular square ro ot with knowledge error

In case these rep etitions are conducted sequentially then the resulting proto col is

zeroknowledge Yet for use in Construction it suces that the pro of of knowledge is

witnesshiding and fortunately even p olynomially many parallel executions can b e shown

to b e witnesshiding see Section Hence the resulting identication scheme has con

stant round complexityWe remark that for identication purp oses it suces to p erform

Construction sup erlogarithmically many times Furthermore also less rep etitions are

of value when applying Construction k O log n times and using the resulting

proto col in Construction we get a scheme for identication in which imp ersonation

can o ccur with probability at most

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

Identication schemes and pro ofs of ability

As hinted ab ove a pro of of knowledge of a string ie the ability to output the string is a

sp ecial case of a pro of of ability to do something It turns out that identication schemes

can b e based also on the more general concept of pro ofs of abilityWeavoid dening this

concept and refrain ourself to two natural examples of using a pro of of ability as basis

for identication

It is an everyday practice to identify p eople by their ability to pro duce their signature

This practice can b e carried into the digital setting Sp ecically the public record of Alice

consists of her name and the verication key corresp onding to her secret signing key in a

predetermined signature scheme The identication proto col consists of Alice signing a

random message chosen bytheverier

A second p opular means of identication consists of identifying p eople by their abilityto

answer correctly p ersonal questions A digital analogue to this practice follows To this end

we use pseudorandom functions see Section and zeroknowledge pro ofs of memb ership

in a language The public record of Alice consists of her name and a commitment to

a randomly selected pseudorandom function eg either via a stringcommitmenttothe

index of the function or via a pair consisting of a random domain elementandthevalue of

the function at this p oint The identication proto col consists of Alice returning the value

of the function at a random lo cation chosen by the verier and supplying a zeroknowledge

pro of that the value returned indeed matches the function app earing in the public record

We remark that the digital implementation oers more security than the everyday practice

In the everyday setting the verier is given the list of all p ossible question and answer pairs

and is trusted not to try to imp ersonate as the user Here we replaced the p ossession of the

correct answers by a zeroknowledge pro of that the answer is correct

ComputationallySound Pro ofs Arguments

In this section we consider a relaxation of the notion of an interactive pro of system Sp eci

callywe relax the soundness condition of interactive pro of systems Instead of requiring that

it is impossible to fo ol the verier into accepting false statement with probability greater

than some b ound we only require that it is infeasible to do so We call such proto cols com

putational ly sound proof systems or arguments The advantage of computationally sound

pro of systems is that perfect zeroknowledge computational ly sound pro of systems can b e

constructed under some reasonable complexity assumptions for all languages in NPWe

remark that perfect zeroknowledge pro of systems are unlikely to exists for all languages in

NP see section We recall that computational zeroknowledge pro of systems do exist

for all languages in NP provided that oneway functions exist Hence the ab ove quoted

p ositive results exhibit some kind of a tradeo b etween the soundness and zeroknowledge

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

prop erties of the zeroknowledge proto cols of NPWe remark however that this is not

a real tradeo since the p erfect zeroknowledge computationally sound pro ofs for NP are

constructed under stronger complexity theoretic assumption than the ones used for the

computationally zeroknowledge pro ofs It is indeed an interesting research pro ject to try

to construct p erfect zeroknowledge computationally sound pro ofs for NP under weaker

assumptions and in particular assuming only the existence of oneway functions

We remark that it seems that computationallysound pro of systems can b e much more

ecient than ordinary pro of systems Sp ecically under some plausible complexityas

sumptions extremely ecient computationallysound pro of systems ie requiring only

p olylogarithmic communication and randomness exist for any language in NP An analo

gous result cannot hold for ordinary pro of systems unless NP is contained in deterministic

p olylog

quasip olynomial time ie NP Dtime

Denition

The denition of computationally sound pro of systems follows naturally from the ab ove

discussion The only issue to consider is that merely replacing the soundness condition of

Denition by the following computational soundness condition leads to an unnatural

denition since the computational p ower of the prover in the completeness condition in

Denition is not restricted

Computational Soundness For every p olynomialtime interactivemachine B

and for all suciently long x L

Prob hB V ix

Hence it is natural to restrict the prover in b oth completeness and soundness conditions

to b e an ecient one It is crucial to interpret ecient as b eing probabilistic p olynomial

time given auxiliary input otherwise only languages in BP P will havesuch pro of systems

Hence our starting p oint is Denition rather than Denition

Denition computationally sound pro of system arguments Apair of interactive

machines P V iscal ledancomputationally sound pro of system for a language L if both

machines arepolynomialtime with auxiliary inputs and the fol lowing two conditions hold

Completeness For every x L there exists a string y such that for every string z

Prob hP y Vz ix

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

Computational Soundness For every polynomialtime interactive machine B and for

al l suciently long x L and every y and z

Prob hB y V z ix

As usual the error probability in the completeness condition can b e reduced from

p olyjxj

up to by rep eating the proto col suciently many times The same is not true

in general with resp ect to the error probability in the computational soundness condition

see Exercise All one can show is that the error probability can b e reduced to b e

negligible ie smaller that p for every p olynomial p Sp ecicall yby rep eating a

computationally sound pro of suciently many time ie sup erlogarithmically many times

we get a new verier V for which it holds that

For every p olynomial p every p olynomialtime interactivemachine B and

for all suciently long x L and every y and z

Prob hB y V z ix

pjxj

See Exercise

Perfect CommitmentSchemes

The thrust of the current section is in a metho d for constructing perfect zeroknowledge

arguments for every language in NP This metho d makes essential use of the concept of

commitmentschemes with a perfect or information theoretic secrecy prop erty Hence

we start with an exp osition of p erfect commitmentschemes We remark that suchschemes

may b e useful also in other settings eg in settings in which the receiver of the commitment

is computationally unb ounded see for example Section

The dierence b etween commitmentscheme as dened in Subsection and p erfect

commitmentschemes dened b elow consists of a switching in scop e of the secrecy and

unambiguity requirements In commitmentschemes see Denition the secrecy re

quirement is computational ie refers only to probabilistic p olynomialtime adversaries

whereas the unambiguity requirement is information theoretic and makes no reference to

the computational p ower of the adversary On the other hand in p erfect commitment

schemes see denition b elow the secrecy requirement is information theoretic whereas

the unambiguity requirement is computational ie refers only to probabilistic p olynomial

time adversaries Hence in some sense calling one of these schemes p erfect is somewhat

unfair to the other yet wedosoinordertoavoid cumb ersome terms as a p erfectly

secretcomputationallynonambiguous commitmentscheme We remark that it is imp os

sible to have a commitmentscheme in which b oth the secrecy and unambiguity requirements are information theoretic see Exercise

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Denition

Lo osely sp eaking a p erfect commitmentscheme is an ecient twophase twoparty proto col

through whichthesender can commit itself to a value so the following two conicting

requirements are satised

SecrecyAt the end of the commit phase the receiver do es not gain any information

of the senders value

Unambiguity It is infeasible for the sender to interact with the receiver so that the

commit phase is successfully terminated and yet later it is feasible for the sender to

p erform the reveal phase in two dierentways leading the receiver to accept as legal

op enings two dierentvalues

Using analogous conventions to the ones used in Subsection wemake the following

denition

Denition p erfect bit commitmentschemeAp erfect bit commitment scheme is a

pair of probabilistic polynomialtime interactive machines denoted S R for sender and

receiver satisfying

Input Sp ecication The common input is an integer n presented in unary serving

as the security parameter The private input to the sender is a bit v

Secrecy For every probabilistic not necessarily polynomialtime machine R inter

acting with S the random variables describing the output of R in the two cases

n n

namely hS R i and hS R i are statistical ly close

Unambiguity

Preliminaries For simplicity v f g and n NI are implicit in al l notations Fix

any probabilistic polynomialtime algorithm F

As in Denition a receivers view of an interaction with the sender denoted

r mconsists of the random coins usedbythereceiver r and the sequenceof

messages receivedfrom the sender m A senders view of the same interac

tion denoted s m consists of the random coins used by the sender s and the

sequence of messages receivedfrom the receiver m A joint view of the interac

tion is a pair consisting of corresponding receiver and sender views of the same

interaction

def

Let f g We say that a joint view of an interaction t r m s m

has a feasible op ening with resp ect to F if on input t algorithm F out

m describes the messages puts say with probability a string s such that

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

receivedby R when R uses local coins r and interacts with machine S which uses

local coins s and input

Remark We stress that s may but need not equal s The output of algorithm

F has to satisfy a relation which depends only on the receivers view partofthe

input the senders view is supplied to algorithm F as additional help

We say that a joint view is ambiguous with resp ect to F if it has bothafeasible

opening and a feasible opening wrt F

The unambiguity requirement asserts that for al l but a negligible fraction of the coin

tosses of the receiver it is infeasible for the sender to interact with the receiver so that

the resulting joint view is ambiguous with respect to some probabilistic polynomialtime

algorithm F Namely for every probabilistic polynomial time interactive machine S

probabilistic polynomialtime algorithm F polynomial p and al l suciently large

ntheprobability that the joint view of the interaction between R and with S on

common input is ambiguous with respect to F isatmostpn

In the formulation of the unambiguity requirement S describ es the cheating sender

strategy in the commit phase whereas F describ es its strategy in the reveal phase Hence

it is justied and in fact necessary to pass the senders view of the interaction b etween S

and R to algorithm F The unambiguity requirement asserts that any ecient strategy S

will fail to pro duce a jointviewofinteraction which can b e latter eciently op ened in two

dierentways supp orting two dierentvalues As usual events o ccurring with negligible

probability are ignored

As in Denition the secrecy requirement refers explicitly to the situation at the

end of the commit phase whereas the unambiguity requirement implicitly assumes that the

reveal phase takes the following form

the sender sends to the receiver its initial private input v and the random coins s

it has used in the commit phase

the receiver veries that v and s together with the coins r usedby R in the commit

phase indeed yield the messages that R has received in the commit phase Verication

is done in p olynomialtime by running the programs S and R

Construction based on oneway p ermutations

Perfect commitmentschemes can b e constructed using anyoneway p ermutation The

known scheme however involve a linear in the security parameter numb er of rounds

Hence it can b e used for the purp oses of the current section but not for the construction in Section

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Construction p erfect bit commitment Let f bea permutation and bx y denote

the innerproduct mod ofx and y ie bx y x y mo d

i i

commit phase using security parameter n

The receiver randomly selects n linearly indepndent vectors r r

n n

f g The sender uniformly selects s f g and computes y f sSo

far no message is exchangedbetween the parties

The parties proceedin n rounds In the i round i n the receiver

def

i i i

sends r to the sender which replies by computing and sending c by r

i i

Atthispoint thereare exactly two solutions to the equations by r c

i n Dene j if y is the lexicographical ly rst solution among the

two and j otherwise Tocommit to a value v f g the sender sends

def

c j v to the receiver

reveal phase In the reveal phase the sender reveals the string s used in the commit

i i

phase The receiver accepts the value v if f sy by r c for al l i n

and y is the lexicographical ly rst solution to these n equations i c v

Prop osition Suppose that f is a oneway permutation Then the protocol presented

in Construction constitutes a perfect bit commitment scheme

It is quite easy to see that Construction satises the secrecy condition The pro of

that the unambiguity requirement is satised is quite complex and is omitted for space

considerations

Construction based on clawfree collections

Perfect commitmentschemes of constantnumb er of rounds can b e constructed using

a strong intractability assumption sp ecically the existence of clawfree collections see

Subsection This assumption implies the existence of oneway functions but it is not

known whether the converse is true Nevertheless clawfree collections can b e constructed

under widely b elieved assumptions suchastheintractability of factoring and DLP Actually

the construction of p erfect commitmentschemes presented b elow uses a clawfree collection

with an additional prop erty sp ecically it is assume that the set of indices of the collection

ie the range of algorithm I can b e eciently recognized ie is in BP P We remark that

such collections do exist under the assumption that DLP is intractable see Subsection

Construction p erfect bit commitment Let I D F be a triplet of ecient algo rithms

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

commit phase Toreceive a commitment to a bit using security parameter n the

receiver randomly generates i I and sends it to the sender Tocommit to value

v f g upon receiving the message i from the receiver the sender checks if indeed

i is in the range of I and if so the sender randomly generates s D icomputes

c F v i s and sends c to the receiver In case i is not in the range of I the

sender aborts the protocol announcing that the receiver is cheating

reveal phase In the reveal phase the sender reveals the string s used in the commit

phase The receiver accepts the value v if F v i s c where i c is the receivers

partial view of the commit phase

Prop osition Let I D F be a clawfreecol lection with a probabilistic polynomial

time recognizable set of indices ie range of algorithm I Then the protocol presentedin

Construction constitutes a perfect bit commitment scheme

Pro of The secrecy requirementfollows directly from Prop erty of a clawfree collection

combined with the test i I conducted by the sender The unambiguity requirement

follows from Prop erty of a clawfree collection using a standard reducibili ty argument

We remark that the Factoring Clawfree Collection presented in Subsection can

b e used to construct a p erfect commitmentscheme although this collection is not known to

have an eciently recognizable index set Hence p erfect commitmentschemes exists also

under the assumption that factoring Blum integers is intractable Lo osely sp eaking this

is done by letting the receiver prove to the sender in zeroknowledge that the selected

index N satises the secrecy requirement What is actually b eing proven is that half of

the square ro ots of each quadratic residue mo d N have Jacobi symb ol relativetoN

A zeroknowledge pro of system of this claim do es exist without assuming anything We

remark that the idea just presented can b e describ ed as replacing the requirement that

the index set is eciently recognizable by a zeroknowledge pro of that a string is indeed a

legitimate index

CommitmentSchemes with a p osteriori secrecy

We conclude the discussion of p erfect commitmentschemes byintro ducing a relaxation

of the secrecy requirement The resulting scheme cannot b e used for the purp oses of the

current section yet it is useful in dierent settings The advantage in the relaxation is that

it allows to construct commitmentschemes using anyclawfree collection thus waiving the

additional requirement that the index set is eciently recognizable

Lo osely sp eaking we relax the secrecy requirement of p erfect commitmentschemes by

requiring that it only holds whenever the receiver follows it prescrib ed program denoted

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

R This seems strange since we dont really want to assume that the real receiver follows

the prescrib ed program but rather allowittobehave arbitrarily The p oint is that a real

receiver may disclose the coin tosses used by it in the commit phase in a later stage say

even after the reveal phase and by doing so a p osteriori prove that at least in some weak

sense it was following the prescrib ed program Actually the receiver only proves that he

b ehaved in a manner which is consistent with its program

Denition commitmentscheme with p erfect a p osteriori secrecyAbit commitment

scheme with p erfect a p osteriori secrecy is dened as in Denition except that the

secrecy requirement is replaced by the fol lowing a p osteriori secrecy requirementFor every

polyn n n

string r f g it holds that hS R i and hS R i are statistical ly close

r r

where R denotes the execution of the interactive machine R when using internal coin tosses

Prop osition Let I D F be a clawfreecol lection Consider a modication of Con

struction in which the senders check of whether i is in the range of I is omitted

from the commit phase Then the resulting protocol constitutes a bit commitment scheme

with perfectaposteriori secrecy

In contrast to Prop osition here the clawfree collection may not have an eciently

recognizable index set Hence the veriers checkmust have b een omitted Yet the receiver

can later prove that the message sentby it during the commit phase ie i is indeed a valid

index by disclosing the random coins it has used in order to generate i using algorithm I

Pro of The a p osteriori secrecy requirement follows directly from Prop erty of a clawfree

collection combined with the assumption that i in indeed a valid index The unambiguity

requirementfollows as in Prop osition

Atypical application of commitmentscheme with p erfect a p osteriori secrecy is pre

sented in Section In that setting the commitmentscheme is used inside an interactive

pro of with the verier playing the role of the sender and the prover playing the role of

the receiver If the verier a p osteriori learns that the prover has b een cheating then the

verier rejects the input Hence no damage is caused in this case by the fact that the

secrecy of the veriers commitments mighthave b een breached

Nonuniform computational unambiguity

Actually for the applications to pro ofargument systems b oth the one b elow and the

one in Section we need commitmentschemes with p erfect secrecy and nonuniform

computational unambiguity The reasons for this need are analogous to the case of the

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

zeroknowledge pro of for NP presented in Section By nonuniform computational

unambiguitywe mean that the unambiguity condition should hold also for nonuniform

families of p olynomialsize circuits We stress that all the constructions of p erfect com

mitmentschemes p ossess the nonuniform computational unambiguityprovided that the

underlying clawfree collections foil also nonuniform p olynomialsize clawforming circuits

In order to prevent the terms of b ecoming to o cumbersome we omit the phrase nonuni

form when referring to the p erfect commitmentschemes in the description of the two

applications

Perfect ZeroKnowledge Arguments for NP

Having p erfect commitmentscheme at our disp osal we can construct p erfect zeroknowledge

arguments for NPby mo difying the construction of computational zeroknowledge pro ofs

for NP in a totally syntactic manner We recall that in these pro of systems eg Con

struction for Graph Colorability the prover uses a commitmentscheme in order to

commit itself to manyvalues part of them it later reveals up on the veriers request All

that is needed is to replace the commitmentscheme used by the prover by a p erfect commit

mentscheme We claim that the resulting proto col is a p erfect zeroknowledge argument

computationally sound pro of for the original language For sake of concreteness we prove

Prop osition Consider a modication of Construction so that the commitment

scheme usedbytheprover is replacedbya perfect commitment scheme Then the resulting

protocol is a perfect zeroknow ledge weak argument for Graph Colorability

By a weak argumentwe mean a proto col in whichthegapbetween the completeness and the

computational soundness condition is nonnegligible In our case the verier always accepts

inputs in GC whereas no ecient prover can fo ol him into accepting graphs G V E not

in GC with probability greater than We remind the reader that by p olynomially

jE j

many rep etitions the error probability can b e made negligible

Pro of Sketch We start byproving that the resulting proto col is p erfect zeroknowledge

for GC We use the same simulator as in the pro of of Prop osition However this

time analyzing the prop erties of the simulator is much easier since the commitments are

distributed indep endently of the committed values and consequently the verier acts in

total oblivion of the values It follows that the simulator outputs a transcript with proba

and for similar reasons this transcript is distributed identically to the real bility exactly

interaction The p erfect zeroknowledge prop erty follows

The completeness condition is obvious as in the pro of of Prop osition It is left to

prove that the proto col satises the computational soundness requirement This is indeed

the more subtle part of the current pro of in contrast to the pro of of Prop osition in

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

whichproving soundness is quite easy We use a reducibility argument to show that a

provers abilitytocheat with to o high probability on inputs not in GC translates to an

algorithm contradicting the unambiguity of the commitmentscheme Details follows

We assume to the contradiction that there exists a p olynomialtime cheating prover

P and an innite sequence integers so that for eachinteger n there exists graphs G

V E GC and a string y so that P y leads the verier to accept G with probabil

n n n n n

def

ity Letk jV jLetc c b e the sequence of commitments to the vertices

n k

jE j

colors sentby the prover in step P Recall that in the next step the verier sends a

uniformly chosen edge of E and the prover must answer byrevealing dierent colors for

its endp oint otherwise the verier rejects A straightforward calculation shows that since

G is not colorable there must exist a vertex for which the prover is able to reveal at

least two dierent colors Hence we can construct a p olynomialsize circuit incorp orating

P G and y that violates the nonuniform unambiguity condition Contradiction to

n n

the hyp othesis of the prop osition follows and this completes the pro of

Combining Prop ositions and weget

Corollary If nonuniformly oneway permutations exist then every language in NP

has a perfect zeroknow ledge argument

Concluding Remarks

Prop ositions and exhibit a kind of a tradeo b etween the strength of the soundness

and zeroknowledge prop erties The proto col of Prop osition oers computational zero

knowledge and p erfect soundness whereas the proto col of Prop osition oers p erfect

zeroknowledge and computational soundness However one should note that the two results

are not obtained under the same assumptions The conclusion of Prop osition is valid

as long as any oneway functions exist whereas the conclusion of Prop osition requires

a probably much stronger assumption Yet one may ask which of the two proto cols

should we prefer assuming that they areboth valid The answer dep ends on the setting

ie application in which the proto col is to b e used In particular one should consider the

following issues

The relative imp ortance attributed to soundness and zeroknowledge in the sp ecic

application In case of clear priori to one of the two prop erties a choice should b e

made accordingly

The computational resources of the various users in the application One of the users

maybeknown to b e in p ossession of much more substantial computing resources and

it may b e reasonable to require that heshe should not b e able to cheat even not in an information theoretic sense

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

COMPUTATIONALLYSOUND PROOFS ARGUMENTS

The soundness requirement refers only to the duration of the execution whereas in

many applications zeroknowledge may b e of concern also for a long time afterwards

If this is the case then p erfect zeroknowledge arguments do oer a clear advantage

over zeroknowledge pro ofs

ZeroKnowledge Arguments of Polylogarithmic Eciency

A dramatic improvement in the eciency of zeroknowledge arguments for NP can b e

obtained by combining ideas from Chapter missingsignsec and a result describ ed

in Section missingeffpcpsec In particular assuming the existence of very strong

collisionfree hashing functions one can construct a computationallysound zeroknowledge

pro of for any language in NP which uses only p olylogarithmic amount of communication

and randomness The interesting p oint in the ab ove statement is the mere existence of such

extremely ecient argument let alone their zeroknowledge prop erty Hence we refrain

ourselves to describing the ideas involved in constructing such arguments and do not address

the issue of making them zeroknowledge

By Theorem missingnppcpthmevery NP language L can b e reduced to SAT

so that nonmemb ers of L are mapp ed into CNF formulae for whichevery truth assignment

satises at most an fraction of the clauses where is a universal constant Let

us denote this reduction by f Now in order to prove that x L it suces to prove that

the formula f x is satisable This can b e done by supplying a satisfying assignmentfor

f x The interesting p ointisthattheverier need not check that all clauses of f xare

satised by the given assignment Instead it may uniformly select only p olylogarithmically

many clauses and check that the assignment satises all of them If x L and the prover

supplies a satisfying assignmenttof x then the verier will always accept Yet if x L

then no assignment satises more than a fraction of the clauses and consequently

a uniformly chosen clause is not satised with probability at least Hence checking

sup erlogarithmically many clauses will do

The ab ove paragraph explains why the randomness complexity is p olylogarithmic but

it do es not explain why the same holds for the communication complexityFor this end

we need an additional idea The idea is to use a sp ecial commitmentscheme which allows

to commit to a string of length n so that the commitment phase takes p olylogarithmic

communication and individual bits of this string can b e revealed and veried correct at

p olylogarithmic communication cost For constructing such a commitmentscheme we use a

col lisionfree hashing function The function maps strings of some length to strings of half

the length so that it is hard to nd two strings which are mapp ed by the function to the

same image

Let n denote the length of the input string to which the sender wishes to commit itself

and let k b e a parameter which is later set to b e p olylogarithmic in n Denote by H a

collisionfree hashing function mapping strings of length k into strings of length k The

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

def

sender partitions its input string into m consequtive blo cks each of length k Next the

sender constructs a binary tree of depth log m placing the m blo cks in the corresp onding

leaves of the tree In eachinternal no de the sender places the hash value obtained by

applying the function H to the contents of the children of this no de The only message

sent in the commit phase is the contents of the ro ot sentby the sender to the receiver

By doing so unless the sender can form col lisions under H the sender has committed

itself to some nbit long string When the receiver wishes to get the value of a sp ecic bit

in the string the sender reveals to the receiver the contents of both children of eachnode

along the path from the ro ot to the corresp onding leaf The receiver checks that the values

supplied for each no de along the path match the value obtained by applying H to the

values supplied for the twochildren

The proto col for arguing that x L consists of the prover committing itself to a sat

isfying assignmentforf x using the ab ovescheme and the verier checking individual

clauses by asking the prover to reveal the values assigned to the variables in these clauses

The proto col can b e shown to b e computationallysound provided that it is infeasible to

nd a pair f g so that H H Sp ecicall ywe need to assume that

forming collisions under H is not p ossible in sub exp onential time namely that for some

k k

forming collisions with probability greater than must take at least time In

and get a computationallysound pro of of communication such a case we set k log n

log n

complexity O m k p olylog n Weaker lower b ounds for the collisionforming task

may still yield meaningful results by an appropriate setting of the parameter k We stress

that collisions can always b e formed in time and hence the entire approach fails if the

prover is not computationally b ounded and consequently we cannot get p erfectlysound

pro of systems this way Furthermore byasimulation argument one may show that only

p olylog

languages in Dtime have pro of systems with p olylogarithmic communication and

randomness complexity

Constant Round ZeroKnowledge Pro ofs

In this section we consider the problem of constructing constantround zeroknowledge pro of

systems with negligible error probability for all languages in NPTomake the rest of the

discussion less cumbersome we dene a pro of system to b e roundecient if it is b oth

constantround and with negligible error probability

Wepresenttwo approaches to the construction of roundecient zeroknowledge pro ofs

for NP

Basing the construction of roundecient zeroknowledge pro of systems on commit

mentschemes with p erfect secrecy see Subsection

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTANT ROUND ZEROKNOWLEDGE PROOFS

Constructing roundecient zeroknowledge computational lysound pro of systems

see Section instead of roundecient zeroknowledge pro of systems

The advantage of the second approach is that roundecient zeroknowledge computationally

sound pro of systems for NP can b e constructed using any oneway function whereas it is

not known whether roundecient zeroknowledge pro of systems for NP can b e constructed

under the same general assumption In particular we only knowhow to construct p erfect

commitmentschemes by using much stronger assumptions eg the existence of clawfree

p ermutations

Both approaches have one fundamental idea in common We start with an abstract

exp osition of this common idea Recall that the basic zeroknowledge pro of for Graph

Colorability presented in Construction consists of a constantnumb er of rounds

However this pro of system has a nonnegligible error probability in fact the error proba

bilityisvery close to In Section it was suggested to reduce the error probability

to a negligible one by sequentially applying the pro of system suciently many times The

problem is that this yields a pro of system with a nonconstantnumb er of rounds A natural

suggestion is to p erform the rep etitions of the basic pro of in parallel instead of sequentially

The problem with this solution is that it is not known whether that the resulting pro of

system is zeroknowledge

Furthermore it is known that it is not p ossible to present as done in the pro of

of Prop osition a single simulator which uses every p ossible verierasa

blackbox see Section The source of trouble is that when playing many

versions of Construction in parallel a cheating verier may select the edge

to b e insp ected ie step V in eachversion dep ending on the commitments

sentinallversions ie in step P Suchbehaviour of the verier defeats a

simulator analogous to the one presented in the pro of of Prop osition

The waytoovercome this diculty is to switch the order of steps P and V But

switching the order of these steps enables the prover to cheat by sending commitments

in which only the query edges are colored correctly Hence a more rened approach

is required The verier starts by committing itself to one edgequery for eachversion

of Construction then the prover commits itself to the coloring in eachversion and

only then the verier reveals its queries and the rest of the pro of pro ceeds as b efore The

commitmentscheme used by the verier should prevent the prover from predicting the

sequence of edges committed to by the verier This is the p ointwere the two approaches

dier

The rst approach utilizes for this purp ose a commitmentscheme with p erfect secrecy

The problem with this approach is that suchschemes are known to exists only under

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

stronger assumption than merely the existence of oneway function Yet suchschemes

do exists under assumptions such as the intractability of factoring integers of sp ecial

form or the intractability of the discrete logarithm problem

The second approach b ounds the computational resources of prosp ectivecheating

provers Consequently it suces to utilize against these provers as commitment

receivers commitmentschemes with computational securityWe remark that this

approach utilizes for the commitments done by the prover a commitmentscheme

with an extra prop erty Yet suchschemes can b e constructed using any oneway

function

We remark that b oth approaches lead to proto cols that are zeroknowledge in a lib eral sense

ie using exp ected p olynomialtime simulators

Using commitmentschemes with p erfect secrecy

For sake of clarity let us start by presenting a detailed description of the constantround

interactive pro of for Graph Colorability ie GC sketched ab ove This interactive

pro of employs two dierent commitmentschemes The rst scheme is the simple commit

mentscheme with computational secrecy presented in Construction We denote

by C the commitment of the sender using coins s to the ternary value The second

commitmentscheme is a commitmentscheme with p erfect secrecy see Section For

simplicitywe assume that this scheme has a commit phase in which the receiver sends one

message to the sender which then replies with a single message eg the schemes presented

in Section Let us denote by P the commitment of the sender to string upon

receiving message m from the receiver and when using coins s

Construction A roundecient zeroknowledge pro of for GC

def def

Common Input A simple colorable graph G V ELet n jV j t n jE j

and V fng

Auxiliary Input to the Prover Acoloring of G denoted

Provers preliminary step P The prover invokes the commit phase of the perfect

commit scheme which results in sending to the verier a message m

Veriers preliminary step V The verier uniformly and independently selects a

def

sequenceof t edges E u v u v E and sends the prover a random

t t

s f g and commitment to these edges Namely the verier uniformly selects

sends P E to the prover

s m

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTANT ROUND ZEROKNOWLEDGE PROOFS

Motivating Remark At this point the verier is committedtoasequenceof t edges

This commitment is of perfect secrecy

Provers step P The prover uniformly and independently selects t permutations

def

overf g and sets v v foreach v V and j t

t j j

The prover uses the computational commitment scheme to commit itself to colors of

each of the vertices according to each coloring Namely the prover uniformly and

independently selects s s f g computes c C iforeach i V

nt ij s j

and j t and sends c c to the verier

E u v u v to the Veriers step V The verier reveals the sequence

t t

prover Namely the verier send s E to the prover

Motivating Remark Atthispoint the entirecommitment of the verier is revealed

The verier now expects to receive for each j the colors assignedbythe j coloring

to vertices u and v the endpoints of the j edge in E

j j

Provers step P The prover checks that the message just receivedfrom the veri

erisindeed a valid revealing of the commitment made by the verier at step V

Otherwise the prover halts immediately Let us denote the sequenceof t edges just

revealed by u v u v The prover uses the reveal phase of the computational

t t

commitment scheme in order to reveal for each j the j coloring of vertices u and

v to the verier Namely the prover sends to the verier the sequence of quadruples

s u s v s u s v

u v u t t t v t t t

t t

Veriers step V The verier checks whether for each j the values in the j

quadruple constitute a correct revealing of the commitments c and c and whether

u j v j

j j

the corresponding values aredierent Namely upon receiving s s through

the verier checks whether for each j it holds that c C s s

t u j s j t t

j j

c C and and both areinf g If al l conditions hold then the

v j j j j

verier accepts Otherwise it rejects

We rst assert that Construction is indeed an interactive pro of for GC Clearly

the verier always accepts a common input in GC Supp ose that the common input graph

G V E is not in GC Clearlyeach of the committed colorings sentby the prover

in step P contains at least one illegallycol ored edge Using the p erfect secrecy of the

commitments sentby the verier in step V we deduce that at step P the prover has

no idea which edges the verier asks to see ie as far as the information available to the

prover is concerned each p ossibility is equally likely Hence although the prover sends the

coloring commitment after receiving the edge commitment the probability that all the

committed edges have legally committed coloring is at most

n n

jE j

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Wenow turn to show that Construction is indeed zeroknowledge in the lib eral

sense allowing expected p olynomialtime simulators For every probabilistic exp ected

p olynomialtime interactivemachine V weintro duce an exp ected p olynomialtime simu

lator denoted M The simulator starts by selecting and xing a random tap e r for V

Given the input graph G and the random tap e r the commitment message of the verier

V is determined Hence M invokes V oninputG and random tap e r and gets the

corresp onding commitment message denoted CM The simulator pro ceeds in two steps

S Extracting the query edges M generates a sequence of n t random commitments

to dummyvalues eg all values equal and feeds it to V IncaseV replies by

revealing correctly a sequence of t edges denoted u v u v the simulator

t t

records these edges and pro ceed to the next step In case the reply of V is not a

valid revealing of the commitmentmessageCM the simulator halts outputting the

current view of V eg G r and the commitments to dummyvalues

S Generating an interaction that satises the query edges oversimplied exp osition Let

u v u v denote the sequence of edges recorded in step S M generates

t t

a sequence of n t commitments c c so that for each j t it holds that

c and c are random commitments to two dierent random values in f g and

u j v j

j j

all the other c s are random commitments to dummyvalues eg all values equal

The underlying values are called a pseudocolorings The simulator feeds this sequence

of commitments to V If V replies by revealing correctly the ab ove recorded

sequence of edges then M can complete the simulation of a real interaction of

V byrevealing the colors of the endp oints of these recorded edges Otherwise the

entire step is rep eated until success o ccurs

In the rest of the description we ignore the p ossibility that when invoked in steps S

and S the verier reveals two dierent edge commitments Lo osely sp eaking this prac

tice is justied by the fact that during exp ected p olynomialtime computations suchevent

can o ccur only with negligible probability since otherwise it contradicts the computational

unambiguity of the commitmentscheme used by the verier

To illustrate the b ehaviour of the simulator assume that the program V always reveals

correctly the commitment done in step V In such a case the simulator will nd out

the query edges in step S and using them in step S it will simulate the interaction of

V with the real prover Using ideas as in Section one can show that the simulation is

computational indistinguishable from the real interaction Note that in this case step S

of the simulator is p erformed only once

Consider now a more complex case in which on each p ossible sequence of internal

coin tosses r program V correctly reveals the commitment done in step V only with

probability The probability in this statementistaken over all p ossible commitments

generated to the dummyvalues in the simulator step S We rst observe that the

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTANT ROUND ZEROKNOWLEDGE PROOFS

probability that V correctly reveals the commitment done in step V after receiving

a random commitment to a sequence of pseudocolorings generated by the simulator in

step S is approximately Otherwise wederive a contradiction to the computational

secrecy of the commitmentscheme used by the prover Hence the simulator reaches step

S with probability and each execution of step S is completed successfully with

probability p It follows that the exp ected numb er of times that step S is invoked

when running the simulator is

Let us now consider the general case Let q G r denote the probability that on in

put graph G and random tap e r after receiving random commitments to dummy values

correctly reveals the commitment done in step V generated in step S program V

Likewise wedenoteby pG r the probability that on input graph G and random tap e r

after receiving a random commitment to a sequence of pseudocolorings generated bythe

simulator in step S program V correctly reveals the commitment done in step V

As b efore the dierence b etween q G r and pG r is negligible in terms of the size of the

graph G otherwise one derives contradiction to the computational secrecy of the provers

commitmentscheme We conclude that the simulator reaches step S with probability

def

q q G r and each execution of step S is completed successfully with probability

def

p pG r It follows that the exp ected numb er of times that step S is invoked when

Here are the bad news we cannot guarantee that is approxi running the simulator is q

p p

n n

mately or even b ounded by a p olynomial in the input size eg let p and q

then the dierence b etween them is negligible and yet is not b ounded bypolyn This

is why the ab ove description of the simulator is oversimplied and a mo dication is indeed

required

Wemake the simulator exp ected p olynomialtime by mo difying step S as follows

We add an intermediate step S to b e p erformed only if the simulator did not halt

in step S The purp ose of step S is to provide a go o d estimate of q G r The

estimate is computed by rep eating step S until a xed p olynomial in jGjnumber of

correct V reveals are encountered ie the estimate will b e the ratio of the number of

successes divided by the numb er of trial By xing a suciently large p olynomial we can

polyjGj

guarantee that with overwhelmingly high probability ie the estimate is

within a constant factor of q G r It is easily veried that the estimate can b e computed

within exp ected time p oly jGjq G r Step S of the simulator is mo died by adding

a b ound on the numb er of times it is p erformed and if none of these executions yield a

correct V reveal then the simulator outputs a special empty interaction Sp ecicall y step

q where q is the estimate to q G r computed in S will b e p erformed at most p oly jGj

step S It follows that the mo died simulator has exp ected running time b ounded by

polyjGj

p oly jGj q G r

q Gr

It is left to analyze the output distribution of the mo died simulator We refrain our

selves to reducing this analysis to the analysis of the output of the original simulator by

b ounding the probability that the mo died simulator outputs a sp ecial emptyinteraction

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

This probability is b ounded by

def

polyjGjq Gr

G r q G r q G r pG r

p olyjGjq Gr

q G r pG r

We claim that G r is a negligible function of jGj Assume to the contrary that there

exists a p olynomial P an innite sequence of graphs fG g and an innite sequence of

random tap es fr gsuch that G r P n It follows that for each such n wehave

n n n

q G r P n We consider two cases

n n

Case For innitely many ns it holds that pG r q G r In such a case we

n n n n

get for these ns

polyjG jq G r

n n n

G r pG r

n n n n

polyjG jq G r

n n n

q G r

n n

p olyjG j

whichcontradicts our hyp othesis that G r p oly n

n n

Case For innitely many ns it holds that pG r qG r It follows that for

n n n n

these ns wehave jq G r pG r j Pn which leads to contradiction of

n n n n

the computational secrecy of the commitmentscheme used by the prover

Hence contradiction follows in b oth cases

We remark that one can mo dify Construction so that weaker forms of p erfect

commitmentschemes can b e used We refer sp ecically to commitmentschemes with p erfect

a p osteriori secrecy see Subsection In suchschemes the secrecy is only established

a p osteriori by the receiver which discloses the coin tosses it has used in the commit phase

In our case the prover plays the role of the receiver and the verier plays the role of the

sender It suces to establish the secrecy prop erty a p osteriori since in case secrecy is not

establish the verier may reject In such a case no harm has b een caused since the secrecy

of the p erfect commitmentscheme is used only to establish the soundness of the interactive

pro of

Bounding the p ower of cheating provers

Construction can b e mo died to yield a zeroknowledge computationally sound pro of

under the more general assumption that oneway functions exist In the mo died pro

to col we let the verier use a commitmentscheme with computational secrecy instead of

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTANT ROUND ZEROKNOWLEDGE PROOFS

the commitmentscheme with p erfect secrecy used in Construction Hence b oth users

commit to their messages using commitmentscheme with computational secrecy Fur

thermore the commitmentscheme used by the prover must have the extra prop erty that

it is infeasible to construct a commitment without knowing to what value it commits

Such a commitmentscheme is called nonobliviousWe start by dening and constructing

nonoblivious commitmentschemes

Nonoblivious commitmentschemes

The nonobliviousness of a commitmentscheme is intimately related to the denition of

pro of of knowledge see Section

Denition nonoblivious commitmentschemesLet S R bea commitment scheme

as in Denition We say that the commitment scheme is nonoblivious if the prescribed

receiver Rconstitutes a know ledgeverier that is always convincedby S for the relation

S s

m s m view g f r

R r

S s

where as in Denition view denotes the messages received by the interactive

R r

machine R on input and localcoins r when interactive with machine S that has input

and uses coins s

It follows that the receiver prescrib ed program Rmay accept or rejects at the end of the

commit phase and that this decision is supp osed to reect the senders ability to later come

up with a legal op ening of the commitment ie successfully complete the reveal phase We

stress that nonobliviousness relates mainly to cheating senders since the prescrib ed sender

has no diculty to later successfully complete the reveal phase and in fact during the

commit phase S always convinces the receiver of this ability Hence any sender program

not merely the prescrib ed S can b e mo died so that at the end of the commit phase it

lo cally outputs information enabling the reveal phase ie and s The mo died sender

runs in exp ected time that is inversely prop ortional to the probability that the commit

phase is completed successfully

We remark that in an ordinary commitmentscheme at the end of the commit phase

the receiver do es not necessarily know whether the sender can later successfully conduct

the reveal phase For example a cheating sender in Construction can undetectedly

p erform the commit phase without ability to later successfully p erform the reveal phase

eg the sender may just send a uniformly chosen string It is only guaranteed that if

the sender follows the prescrib ed program then the sender can always succeed in the reveal

phase Furthermore with resp ect to the scheme presented in Construction a cheating

sender can undetectedly p erform the commit phase in a way that it generates a receiver

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

view whichdoesnothaveany corresp onding legal op ening and hence the reveal phase is

do omed to fail See Exercise

Nevertheless

Theorem If oneway functions exist then there exist nonoblivious commitment schemes

with constant number of communication rounds

We recall that ordinary commitmentschemes can b e constructed assuming the ex

istence of oneway functions see Prop osition and Theorem Consider the re

lation corresp onding to suchascheme Using zeroknowledge pro ofs of knowledge see

Section for the ab ove relation we get a nonoblivious commitmentscheme Were

mark that such pro ofs do exist under the same assumptions However the resulting com

mitmentscheme has unb ounded numb er of rounds due to the round complexityofthe

zeroknowledge pro of Weseemtohavereached a vicious circle yetthereisaway out

We can use constantround witness indistinguishabl e pro ofs see Section instead of

the zeroknowledge pro ofs The resulting commitmentscheme has the additional prop

erty that when applied p olynomially many times in parallel the secrecy prop erty holds

simultaneously in all copies This fact follows from the Parallel Comp osition Lemma for

witness indistinguishable pro ofs see Section The simultaneous secrecy of many copies

is crucial to the following application

Mo difying Construction

We recall that we are referring to a mo dication of Construction in which the verier

uses a commitmentscheme with computational secrecy instead of the commitmentscheme

with p erfect secrecy used in Construction In addition the commitmentscheme used

by the prover is nonoblivious

We conclude this section by remarking on how to adopt the argument of the rst ap

proach ie of Subsection to suit our currentneedsWe start with the claim that the

mo died proto col is a computationallysound pro of for GC Verifying that the mo died

proto col satises the completeness condition is easy as usual We remark that the mo died

proto col do es not satisfy the usual soundness condition eg a prover of exp onential

computing p ower can break the veriers commitment and generate pseudocolorings that

will later fo ol the verier into accepting Nevertheless we can show that the mo died

proto col do es satisfy the computational soundness of Denition Namelywe show

that for every p olynomial p every p olynomialtime interactivemachine B and for all

suciently large graph G GC and every y and z

Prob hB y V z ix

pjxj

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

NONINTERACTIVE ZEROKNOWLEDGE PROOFS

where V is the verier program in the mo died proto col

Using the information theoretic unambiguity of the commitmentscheme employed by

the prover we can talk of a unique color assignment which is induced by the provers

commitments Using the fact that this commitmentscheme is nonoblivious it follows that

the prover can b e mo died so that in step P it outputs the values to which it commits

itself at this step We can now use the computational secrecy of the veriers commitment

scheme to show that the color assignment generated by the prover is almost indep endent

of the veriers commitment Hence the probability that the prover can fo ol the verier

to accept an input not in the language is nonnegligibly greater than what it would have

b een if the verier asked random queries after the prover makes its color commitments

The computational soundness of the mo died proto col follows Weremarkthatwe do not

know whether the proto col is computationally sound in case the prover uses a commitment

scheme that is not guaranteed to b e nonoblivious

Showing that the mo died proto col is zeroknowledge is even easier than it was in

the rst approach ie in Subsection The reason b eing that when demonstrating

zeroknowledge of such proto cols we use the secrecy of the provers commitmentscheme and

the unambiguity of the veriers commitmentscheme Hence only these prop erties of the

commitmentschemes are relevant to the zeroknowledge prop erty of the proto cols Yet the

current mo died proto col uses commitmentschemes with relevant prop erties which are not

weaker than the ones of the corresp onding commitmentschemes used in Construction

Sp ecically the provers commitmentscheme in the mo died proto col p ossess computation

ally secrecy just like the provers commitmentscheme in Construction Westressthat

this commitment like the simpler commitment used for the prover in Construction has

the simultaneous secrecy of many copies prop ertyFurthermore the veriers commitment

scheme in the mo died proto col p ossess information theoretic unambiguity whereas the

veriers commitmentscheme in Construction is merely computationally unambiguous

NonInteractive ZeroKnowledge Pro ofs

Authors Note Indeed this section is missing

Denition

Construction

MultiProver ZeroKnowledge Pro ofs

In this section we consider an extension of the notion of an interactive pro of system Sp ecif

icallywe consider the interaction of a verier with several saytwo provers The provers

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

may share an apriori selected strategy but it is assumed that they cannot interact with

each other during the time p erio d in which they interact with the verier Intuitivelythe

provers can co ordinate their strategies prior to but not during their interrogation bythe

verier

The notion of multiprover interactive pro of plays a fundamental role in complexity the

ory This asp ect is not addressed here but rather p ostp oned to Section missingeffpcpsec

In the current section we merely address the zeroknowledge asp ects of multipartyinterac

tive pro ofs Most imp ortantlythemultiprover mo del enables the construction of p erfect

zeroknowledge pro of systems for NP independent of any complexity theoretic or other

assumptionsFurthermore these pro of systems can b e extremely ecient Sp ecicallythe

online computations of all parties can b e p erformed in p olylogarithmic time on a RAM

Denitions

For sake of simplicitywe consider the twoprover mo del We remark that more provers do

not oer anyessential advantages and sp ecically none that interest us in this section

Lo osely sp eaking a twoprover interactive pro of system is a three party proto col where two

parties are provers and the additional partyisa verier The only interaction allowed in

this mo del is b etween the verier and each of the provers In particular a prover do es not

know the contents of the messages sentby the verier to the other prover The provers

do however share a random input tap e which is as in the oneprover case b eyond the

reach of the verier The twoprover setting is a sp ecial case of the twopartner model

describ ed b elow

The twopartner mo del

The twoparty mo del consists of two partners interacting with a third party called solitary

The two partners can agree on their strategies b eforehand and in particular agree on a

common uniformly chosen string Yet once the interaction with the solitary b egins the

partners can no longer exchange information The following denition of suchaninteraction

extends Denitions and

Denition twopartner mo del The twopartner mo del consists of three interactive

machines two arecal led partners and the thirdiscal led solitary which are linked and interact

as hereby specied

The inputtapes of al l threeparties coincide and its contents is cal ledthe common

input

The randomtapes of the two partners coincide and is cal ledthe partners randomtap e

The solitary has a separate randomtape

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MULTIPROVER ZEROKNOWLEDGE PROOFS

The solitary has two pairs of communicationtapes and two switchtapes instead of a

single pair of communicationtapes and a single switchtape as in Denition

Both partners have the same identity and the solitary has an opposite identity see

Denitions and

The rst resp second switchtape of the solitary coincides with the switchtapeof

the rst resp second partner the rst resp second readonly communicationtape

of the solitary coincides with the writeonly communicationtape of the rst resp

second partner and vice versa

The joint computation of the threeparties on a common input xisasequenceof

triplets Each triplet consists of the local conguration of each of the three machines

The behaviour of each partnersolitary pair is as in the denition of the joint compu

tation of a pair of interactive machines

Notation We denote by hP P Six the output of the solitary S after interacting

with the partners P and P oncommon input x

Twoprover interactive pro ofs

Atwoprover interactive pro of system is now dened analogously to the oneprover case

see Denitions and

Denition twoprover interactive pro of system A triplet of interactive machines

P P V in the twopartner model is cal ledan pro of system for a language L if the machine

V called verier is probabilistic polynomialtime and the fol lowing two conditions hold

Completeness For every x L

Prob hP P V ix

Soundness For every x L and every pair of partners B B

Prob hB B V ix

As usual the error probability in the completeness condition can b e reduced from

polyjxj

up to by sequential ly rep eating the proto col suciently many times We stress

that error reduction via paral lel rep etitions is not known to work in general

The notion of zeroknowledge for multiprove systems remains exactly as in the one

prover case Actually the denition of p erfect zeroknowledge mayeven b e made more

strict by requiring that the simulator never fails ie never outputs the sp ecial symbol

Namely

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Denition We say that a twoprover proof system P P V for a language L

is p erfect zeroknowledge if for every probabilistic polynomialtime interactive machine V

there exists a probabilistic polynomialtime algorithm M such that for every x L the

random variables hP P V ix and M x are identical ly distributed

Extension to the auxiliaryinput zeroknowledge mo del is straightforward

TwoSenders CommitmentSchemes

The thrust of the current section is in a metho d for constructing p erfect zeroknowledge

twoprover pro of systems for every language in NP This metho d makes essential use of a

commitmentscheme for two senders and one receiver that p osses information theoretic

secrecy and unambiguity prop erties We stress that it is imp ossible to simultaneously

achieve information theoretic secrecy and unambiguity prop erties in the single sender

mo del

A Denition

Lo osely sp eaking a twosender commitmentscheme is an ecient twophase proto col for

the twopartner mo del through which the partners called senders can commit themselves

to a value so that the following two conicting requirements are satised

SecrecyAt the end of the commit phase the solitary called receiver do es not gain

any information of the senders value

Unambiguity Supp ose that the commit phase is successfully terminated Then if later

the senders can p erform the reveal phase so that the receiver accepts the value with

probability p then they cannot p erform the reveal phase so that the receiver accepts

the value with probability substantially bigger than p Due to the secrecy

requirement and the fact that the senders are computationally unb ounded for every

p the senders can always conduct the commit phase so that they can later reveal the

value with probability p and the value with probability p

Instead of presenting a general denition we restrict our attention to the sp ecial case of

twosender commitmentschemes in which only the rst sender and the receiver takes

part in the commit phase whereas only the second sender takes part in the reveal phase

Furthermore we assume without loss of generality that in the reveal phase the second

sender sends the contents of the joint randomtap e used by the rst sender in the commit

phase to the receiver

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MULTIPROVER ZEROKNOWLEDGE PROOFS

Denition twosender bit commitmentAtwosender bit commitment scheme is

a triplet of probabilistic polynomialtime interactive machines denoted S S R for the

twopartner model satisfying

Input Sp ecication The common input is an integer n presented in unary cal ledthe

securityparameter The two partners cal ledthe senders have an auxiliary private

input v f g

Secrecy The commitment and the commitment are identical ly distributed Namely

for every probabilistic not necessarily polynomialtime machine R interacting with

n n

the rst sender ie S the random variables hS R i and hS R i

are identical ly distributed

Unambiguity Preliminaries For simplicity v f g and n NI are implicit in al l

notations

As in Denition a receivers view of an interaction with the rst sender

mconsists of the random coins usedbythereceiver denoted r and denoted r

the sequence of messages receivedfrom the rst sender denoted m

Let f g We say that the string s is a p ossible op ening of the receivers

view r m if m describes the messages receivedby R when R uses local coins r

and interacts with machine S which uses local coins s and input

Let S be an arbitrary program for the rst sender Let p beareal and f g

We say that p is an upp er b ound on the probabilityofa op ening of the receivers

view of the interaction with S if for every random variable X which is statistical ly

independent of the receivers coin tosses the probability that X is a possible

opening of the receivers view of an interaction with S is at most p

The probabilityistaken over the coin tosses of the receiver the strategy S and

the random variable X

Let S beasabove and for each f glet p be an upper bound on the

probability of a opening of the interaction with S We say that the receivers

view of the interaction with S is unambiguous if p p

The unambiguity requirement asserts that for every program for the rst sender S

the receivers interaction with S is unambiguous

In the formulation of the unambiguity requirement the random variables X represent p os

sible strategies of the second sender These strategies may dep end on the random input

that is shared by the two senders but is indep endent of the receivers random coins since

information on these coins if at all is only sent to the rst sender Actually the highest

p ossible value of p p is attainable by deterministic strategies for b oth senders Thus

it suces to consider an arbitrary deterministic strategy S for the rst sender and a xed

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

op ening denoted s for the second sender for each f g In this case the prob

ability is taken only over the receiver coin tosses and we can strengthen the unambiguity

condition as follows

strong unambiguity condition for every deterministic strategy S and every pair

of strings s s theprobability that for b oth the string s is a

opening of the receivers view of the interaction with S is boundedabove by

In general in case the sender employ randomized strategies they determine for each p ossible

cointossing of the receiver a pair of probabilities corresp onding to their success in a

op ening and a op ening The unambiguity condition asserts that the average of these

pairs taken over all p ossible receivers coin tosses is a pair which sumsup to at most

Intuitively this means that the senders cannot do more harm than deciding at

random p ossibly based also on the receivers message to the rst sender whether to commit

to or to Both secrecy and unambiguity requirements are information theoretic in the

sense that no computational restrictions are placed on the adversarial strategies We stress

that wehave implicitly assumed that the reveal phase takes the following form

the second sender sends to the receiver the initial private input v and the random

coins susedby the rst sender in the commit phase

the receiver veries that v and s together with the private coins r used by R in the

commit phase indeed yield the messages that R has received in the commit phase

Verication is done in p olynomialtime by running the programs S and R

A Construction

By the ab ove conventions it suces to explicitly describ e the commit phase in which only

the rst sender takes part

Construction twosender bit commitment

Preliminaries Let denote two permutations over f g so that is the

identity permutation and is a permutation consisting of a single transposition say

Namely and

Common input the security parameter n in unary

A convention Suppose that the contents of the senders randomtapeencodes a uni

formly selected s s s f g

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MULTIPROVER ZEROKNOWLEDGE PROOFS

Commit Phase

The receiver uniformly selects r r r f g and sends r to the rst

sender

def

Tocommit to a bit the rst sender computes c s mo d foreach

i r i

i and sends c c to the receiver

We remark that the second sender could have op ened the commitment either wayifhehad

known r sentby the receiver to the rst sender The p oint is that the second sender do es

r and this fact drastically limits its abilitytocheat not know

Prop osition Construction constitutes a twosender bit commitment scheme

r f g the Pro of The security prop ertyfollows by observing that for every choice of

message sentby the rst sender is uniformly distributed over f g

The unambiguity prop ertyisproven bycontradiction As a motivation we rst consider

the execution of the ab ove proto col when n equals and show that it is imp ossible for the

two senders to b e always able to op en the commitments b oth ways Consider two messages

s and s sentby the second sender in the reveal phase so that s is a p ossible

op ening and s is a p ossible op ening b oth with resp ect to the receivers view We stress

that these messages are sent obliviously of the random coins of the receiver and hence

must match all p ossible receivers views or else the op ening do es not always succeed It

follows that for each r f gboth s and s mod must t the message

r r

received by the receiver in the commit phase in resp onse to message r sentby it Hence

s s mo d holds for each r f gContradiction follows since no two

r r

s s f g can satisfy b oth s s mo d and s s

mo d The reason b eing that the rst equality implies s s mo d which

combined with the second equality yields s mod s mo d whereas

for every s f g it holds that s mod s mo d

Wenow turn to the actual pro of of the unambiguitypropertyWe rst observe that

if there exists a program S so that the receivers interaction with S is ambiguous then

there exists also such a deterministic program Actually the program is merely a function

denoted f mapping nbit long strings into sequences in f g Likewise the op ening

and op ening strategies for the second sender can b e assumed without loss of generality

to b e deterministic Consequently b oth strategies consist of constant sequences denoted

s and s and b oth can b e assumed with no loss of generality to b e in f g

For each f g let p denote the probability that the sequence s is a p ossible

op ening of the receivers view U fU where U denotes a random variable uniformly

n n n

n n

distributed over f g The contradiction hyp othesis implies that p p Put

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

n n

in other words jR j jR j where R denotes the set of all strings r f g for

s is a p ossible op ening of the receivers view r f r Namely which the sequence

s mo d g r i f r R f

i r

i i

where r r r s s s and f r f r f r We are going to refute the

n n

contradiction hyp othesis byshowing that the intersection of the sets R and R cannot

contain more than a single element

Claim Let R and R as dened ab ove Then jR R j

R R and Then there exist an i pro of Supp ose on the contrary that

such that and without loss of generality and By the denition of

i i i i

R it follows that

f s mo d

s mo d f

s f mo d

Contradiction follows as in the motivating discussion

This completes the pro of of the prop osition

We remark that Claim actually yields the strong unambiguity condition presented

in the discussion following Denition More imp ortantlywe remark that the pro of

extends easily to the case in which many instances of the proto col are executed in parallel

namely the parallel proto col constitutes a twosender multivalue ie string commitment

scheme

Authors Note The last remark should beelaborated signicantly In addition

it should bestressed that the claim holds also when the second sender is asked

to reveal only some of the commitments as long as this request is indepdendent

of the coin tosses used by the receiver during the commit phase

Perfect ZeroKnowledge for NP

Twoprover p erfect zeroknowledge pro of systems for any language in NP follow easily by

mo difying Construction The mo dication consists of replacing the bit commitment

scheme used in Construction by the twosender bit commitmentscheme of Construc

tion Sp ecically the mo died pro of system for Graph Coloring pro ceeds as follows

Twoprover atomic pro of of Graph Coloring

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MULTIPROVER ZEROKNOWLEDGE PROOFS

The rst prover uses the provers random tap e to determine a p ermutation of the

coloring In order to commit to each of the resulting colors the rst prover invokes

the commit phase of a twosender bit commitment setting the security parameter

to b e the numberofvertices in the graph The rst prover plays the role of the rst

sender whereas the verier plays the role of the receiver

The verier uniformly selects an edge and sends it to the second prover

The second prover reveals the colors of the endp oints of the required edge by sending

the p ortions of the provers randomtap e used in the corresp onding instance of the

commit phase

Wenow remark on the prop erties of the ab ove proto col As usual one can see that

the provers can always convince the verier of valid claims ie the completeness condition

hold Using the unambiguity prop erty of the twosender commitmentscheme we can think

of the rst prover as selecting at random with arbitrary probability distribution a color

assignment to the vertices of the graph We stress that this claim holds although many

instances of the commit proto col are p erformed concurrently see remark ab ove If the

graph is not colored than each of the p ossible color assignments chosen by the rst prover

is illegal and a weak soundness prop erty follows Yet by executing the ab ove proto col

p olynomially many times even in parallel wederive a proto col satisfying the soundness re

quirement We stress that the fact that parallelism is eective here as means for decreasing

error probability follows from the unambiguity prop ertyoftwosender commitmentscheme

and not from a general parallel comp osition lemma whichisnotvalid in the twoprover

setting

Authors Note The last sentencerefers to a false claim by which the error

probability of a protocol in which a basic protocol is repeated t times in paral lel

is at most p where p is the error probability of the basic protocol Interestingly

Ran Raz has recently proven a general paral lel composition lemma of slightly

weaker form the error probability indeeddecreases exponential ly in t but the

base is indeed bigger than p

Wenow turn to the zeroknowledge asp ects of the ab ove proto col It turns out that this

part is much easier to handle than in all previous cases wehave seen In the construction

of the simulator we takeadvantage on the fact that it is playing the role of b oth provers

and hence the unambiguity of the commitmentscheme do es not apply Sp ecicallythe

simulator playing the role of b oth senders can easily op en each commitmentanywayit

wants Here wetake advantage on the sp ecic structure of the commitmentscheme of

Construction Details follow

Simulation of the atomic pro of of Graph Coloring

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

The simulator generates random commitments to nothing Namely the simulator

invokes the verier and answers its messages by uniformly chosen strings

Up on receiving the queryegde u v from the verier the simulator uniformly selects

two dierent colours and and op ens the corresp onding commitments so that

u v

to reveal this values The simulator has no diculty to do so since unlike the second

prover it knows the messages sentby the verier in the commit phase Given the

receivers view r r c c of the commit phase a op ening is computed by

n n

setting s c whereas a op ening is computed by setting s c for

i i i i

r r

i i

all i

Wenow remark that the entire argument extends trivially to the case in which p olynomially

many instances of the proto col are p erformed concurrently

Eciency improvement

A dramatic improvement in the eciency of twoprover p erfect zeroknowledge pro ofs for

NP can b e obtained by using the techniques describ ed in Section missingeffpcpsec

In particular such a pro of system with constant error probability can b e implemented in

probabilistic p olynomialtime so that the numberofbitsexchanged in the interaction is

logarithmic Furthermore the verier is only required to use logarithmically many coin

tosses The error can b e reduced to by rep eating the proto col sequentially for k times

In particular negligible error probabilityisachieved in p olylogarithmic communication com

plexityWe stress again that error reduction via parallel rep etitions is not known to work

in general and in particular is not known to work in this sp ecic case

Authors Note Again the last statement is out of date and recent results do

al low to reduce the error probability without increasing the number of rounds

Applications

Multiprover interactive pro ofs are useful only in settings in whichtheproving entity

can b e separated and its parts kept ignorant of one another during the proving pro cess

In such cases we get p erfect zeroknowledge pro ofs without having to rely on complexity

theoretic assumptions In other words general widely b elieved mathematical assumptions

are replaced byphysical assumptions concerning the sp ecic setting

A natural application is to the problem of identication and sp ecically the identi

cation of a user at some station In Section we discuss how to reduce identication to

a zeroknowledge pro of of knowledge for some NP relation The idea is to supply each

user with two smartcards implementing the two provers in a twoprover zeroknowledge

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

pro of of knowledge These two smartcards have to b e inserted in two dierent slots of the

station and this guarantees that the smartcards cannot communicate one with another

The station will play the role of the verier in the zeroknowledge pro of of knowledge This

way the station is protected against imp ersonation whereas the users are protected against

pirate stations whichmay try to extract knowledge from the smartcards so to enable

imp ersonation by its agents

Miscellaneous

Historical Notes

Interactive pro of systems were intro duced by Goldwasser Micali and Racko GMR

Earlier versions of this pap er date to early Yet the pap er b eing rejected three

times from ma jor conferences has rst app eared in public only in concurrently to

the pap er of Babai B A restricted form of interactive pro ofs known by the name

Arthur Merlin Gameswas intro duced by Babai B The restricted form turned out to

b e equivalentinpower see Section missingeffipsec The interactive pro of for

Graph NonIsomorphism is due to Goldreich Micali and Wigderson GMW

The concept of zeroknowledge has b een intro duced by Goldwasser Micali and Rack

o in the same pap er quoted ab ove GMR Their pap er contained also a p erfect zero

knowledge pro of for Quadratic Non Residuousity The p erfect zeroknowledge pro of system

for Graph Isomorphism is due to Goldreich Micali and Wigderson GMW The latter

pap er is also the source to the zeroknowledge pro of systems for all languages in NP using

any nonunifomly oneway function Brassard and Crep eau have later constructed alter

native zeroknowledge pro of systems for NP using a stronger intractability assumption

sp ecically the intractability of the Quadratic Residuousity Problem

The cryptographic applications of zeroknowledge pro ofs were the very motivation for

their presentation in GMR Zeroknowledge pro ofs were applied to solve cryptographic

problems in FMRW and CFHowever many more applications were p ossible once

it was shown how to construct zeroknowledge pro of systems for every language in NP

In particular general metho dologies for the construction of cryptographic proto cols have

app eared in GMWGMW

Credits for the advanced sections

The results providing upp er b ounds on the complexity of languages with p erfect zero

knowledge pro ofs ie Theorem are from Fortnow For and Aiello and Hastad

AH The results indicating that oneway functions are necessary for nontrivial zero

knowledge are from Ostrovsky and Wigderson OWistcs The negative results con

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

cerning parallel comp osition of zeroknowledge pro of systems ie Prop osition and

Theorem are from GKrb

The notions of witness indistinguishabi l ity and witness hiding were intro duced and

develop ed byFeige and Shamir FSwitness

Authors Note FSwitness has appeared in STOC

The concept of pro ofs of knowledge originates from the pap er of Goldwasser Micali and

Racko GMR First attempts to provide a denition to this concept app ear in Fiat

Feige and Shamir FFS and Tompa and Woll TWHowever the denitions provided

in b oth FFSTW are not satisfactory The issue of dening pro ofs of knowledge has

b een extensively investigated by Bellare and Goldreich BGknow and we follow their sug

gestions The application of zeroknowledge pro ofs of knowledge to identication schemes

was discovered byFeige Fiat and Shamir FFS

Computationally sound pro of systems ie arguments were intro duced by Brassard

Chaum and Crep eau BCC Their pap er also presents p erfect zeroknowledge arguments

for NP based on the intractability of factoring Naor et al NOVY showed howto

construct p erfect zeroknowledge arguments for NP based on any oneway p ermutation and

Construction is taken from their pap er The p olylogarithmiccommunication argument

system for NP of Subsection is due to Kilian K

Authors Note NOVY has appeared in Crypto and K in STOC

Authors Note Micalis model of CSproofs was intended for the missing chap

ter on complexity theory

The roundecient zeroknowledge pro of systems for NP based on anyclawfree collec

tion is taken from Goldreich and Kahan GKa The roundecient zeroknowledge ar

guments for NP based on any oneway function uses ideas of Feige and Shamir FSconst

yet their original construction is dierent

Authors Note NIZK credits BFM and others

Multiprover interactive pro ofs were intro duced by BenOr Goldwasser Kilian and

Wigderson BGKW Their pap er also presents a p erfect zeroknowledge twoprover pro of

system for NP The p erfect zeroknowledge twoprover pro of for NP presented in Sec

tion follows their ideas but explicitly states the prop erties of the twosender commit

mentscheme in use Consequentlywe observe that this pro of system can b e applied in

parallel to decease the error probability to a negligible one

Authors Note This observation escapedFeige Lapidot and Shamir

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Suggestion for Further Reading

For further details on interactive pro of systems see Section missingeffipsec

A uniformcomplexity treatment of zeroknowledge was given by Goldreich Guniform

In particular it is shown how to use uniformly oneway functions to construct interactive

pro of systems for NP so that it is infeasible to nd instances on which the prover leaks

knowledge

Zeroknowledge pro of systems for any language in IP based on nonuniformly oneway

functions were constructed by Impagliazzo and Yung IY yet their pap er contains no

details An alternative construction is presented by BenOr et al Betal

Further reading related to the advanced sections

Additional negative results concerning zeroknowledge pro ofs of restricted typ es app ear in

Goldreich and Oren GOTheinterested reader is also directed to Boppana Hastad and

Zachos BHZ for a pro of that if every language in coNP has a constantround interactive

pro of system then the PolynomialTime Hierarchy collapses to its second level

Roundecient perfect zeroknowledge arguments for NP based on the intractabilityof

the Discrete Logarithm Problem app ears in a pap er by Brassard Crep eau and Yung BCY

A roundecient perfect zeroknowledge pro of system for Graph Isomorphism app ears in a

pap er by Bellare Micali and Ostrovsky BMO

Authors Note NIZK suggestions

An extremely ecient p erfect zeroknowledge twoprover pro of system for NP app ears

in a pap er byDwork et al DFKNS Sp ecically only logarithmic randomness and commu

nication complexities are required to get a constant error probability This result uses the

characterization of NP in terms of low complexitymultiprover interactive pro of systems

which is further discussed in Section missingeffpcpsec

The pap er by Goldwasser Micali and Racko GMR contains also a suggestion for a

general measure of knowledge revealed by a prover of which zeroknowledge is merely a

sp ecial case For further details see Goldreich and Petrank GPkc

Authors Note GPkc has appearedinFOCS See also a recent work by

Goldreich Ostrovsky and Petrank in STOC

Authors Note The discussion of know ledge complexity is better t into the

missing chapter on complexity

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Op en Problems

Our formulations of zeroknowledge eg p erfect zeroknowledge as dened in Deni

tion is dierent from the standard denition used in the literature eg Deni

tion The standard denition refers to expected p olynomialtime machines rather

to strictly probabilistic p olynomialtime machines Clearly Denition implies De

nition see Exercise but it is op en whether the converse hold

Authors Note Base nizk and arguments on more general assumptions

Exercises

Exercise decreasing the error probability in interactive proofs

Prove Prop osition

Guideline Execute the weaker interactive pro of suciently many times using inde

p endently chosen coin tosses for each execution and rule by an appropriate threshold

Observe that the b ounds on completeness and soundness need to b e eciently com

putable Be careful when demonstrating the soundness of the resulting verier The

statement remains valid regardless of whether these rep etitions are executed sequen

tially or in parallel yet demonstrating that the soundness condition is satised is

much easier in the rst case

Exercise the roleofrandomization in interactive proofs part Prove that if L has

an interactive pro of system in which the verier is deterministic then L NP

Guideline Note that if the verier is deterministic then the entire interaction b etween

the prover and the verier is determined by the prover Hence a mo died prover

can just precompute the interaction and send it to the mo died verier as the only

message The mo died verier checks that the interaction is consistent with the

message that the original verier would havesent

Exercise the role of randomization in interactive proofs part Prove that if L has an

interactive pro of system then it has one in which the prover is deterministic Further

more prove that for every probabilistic interactivemachine V there exists a deter

ministic interactivemachine P so that for every x the probability Prob hP V ix

equals the supremum of Prob hB V ix taken over all interactivemachines B

Guideline for each p ossible prex of interaction the prover can determine a message

which maximizes the accepting probability of the verier V

Exercise the role of randomization in interactive proofs part Consider a mo di

cation to the denition of an interactivemachine in which the randomtap es of the

prover and verier coincide ie intuitively b oth use the same sequence of coin tosses

whichisknown to b oth of them Prove that every language having such a mo died

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

interactive pro of system has also an interactive pro of system of the original kind in

which the prover sends a single message

Exercise the role of error in interactive proofs Provethatif L has an interactive pro of

system in which the verier never not even with negligible probability accepts a

string not in the language L then L NP

Guideline Dene a relation R such that x y R if y is a full transcript of an

L L

interaction leading the verier to accept the input xWe stress that y contains the

veriers coin tosses and all the messages received from the prover

Exercise error in perfect zeroknow ledge simulators part Consider mo dications of

Denition in which condition is replaced by requiring for some function q

that ProbM x qjxj Assume that q is p olynomialtime computable

Show that if for some p olynomials p and p and all suciently large ns q n

p n

p nandq n then the mo died denition is equivalent to the original

one Justify the b ounds placed on the function q

Guideline the idea is to rep eatedly execute the simulator suciently many time

Exercise error in perfect zeroknow ledge simulators part Consider the following al

ternative to Denition by whichwesay that P V is perfect zeroknow ledge if for

every probabilistic p olynomialtime interactivemachine V there exists a probabilistic

p olynomialtime algorithm M so that the following two ensembles are statistically

close ie their statistical dierence is negligible as a function of jxj

fhP V ixg

fM xg

Prove that Denition implies the new denition

Exercise E error in perfect zeroknow ledge simulators part Prove that Deni

tion implies Denition

Exercise error in computational zeroknow ledge simulators Consider an alternativeto

Denition by which the simulator is allowed to output the symbol with prob

ability b ounded ab ovebysay and its output distribution is considered conditioned

on its not b eing as done in Denition Prove that this alternative denition

is equivalent to the original one ie to Denition

Exercise alternative formulation of zeroknow ledge simulating the interaction Prove

the equivalence of Denitions and

Exercise Present a simple probabilistic p olynomialtime algorithm which simulates

the view of the interaction of the verier describ ed in Construction with the

prover dened there The simulator on input x GI should have output whichis

x distributed identically to view

V GI

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Exercise Prove that the existence of bit commitmentschemes implies the existence of

oneway functions

Guideline following the notations of Denition consider the mapping of v s r

to the receivers view r m Observethatby the unambiguity requirement range

elements are very unlikely to haveinverses with b oth p ossible values of v The mapping

is p olynomialtime computable and an algorithm that inverts it even with success

probability that is not negligible can b e used to contradict the secrecy requirement

Exercise Considering the commitmentscheme of Construction suggest a cheating

sender that induces a receiverview of the commit phase b eing b oth

indistinguishable from the receiverview in interactions with the prescrib ed sender

with very high probability neither a p ossible commitment nor a p ossible

commitment

Hint the sender just replies with a uniformly chosen string

Exercise using Construction as a commitment scheme in Construction

Prove that when the commitmentscheme of Construction is used in the GC

proto col then resulting scheme remains zeroknowledge Consider the mo dications

required to prove Claim

Exercise more ecient zeroknow ledge proofs for NPFollowing is an outline for a

constantround zeroknowledge pro of for the Hamiltonian Circuit Problem HCP

with acceptance gap b etween inputs inside and outside of the language

Common Input a graph G V E

Auxiliary Input to the prover a p ermutation over V representing the order

of vertices along a Hamiltonian Circuit

Provers rst step Generates a random isomorphic copyofG denoted G

V E Let denote the p ermutation b etween G and G For eachpairi j

V the prover sets e if i j E and e otherwise The prover

ij ij

computes a random commitmenttoeach e Namely it uniformly cho oses

s f g and computes c C e The prover sends all the c s to

ij ij s ij ij

the verier

Veriers rst step Uniformly selects f g and sends it to the prover

Provers second step Let b e the message received from the verier If

then the prover reveals all the jV j commitments to the verier by reveal

ing all s s and sends along also the p ermutation If then the

prover reveals only jV j commitments to the verier sp ecically those corre

sp onding to the Hamiltonian circuit in G ie the prover sends s

s s s

n n n

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Complete the description of the ab oveinteractive pro of evaluate its acceptance proba

bilities and provide a sketch of the pro of of the zeroknowledge prop erty ie describ e

the simulator If you are really serious provide a full pro of of the zeroknowledge

prop erty

Exercise strong reductionsLetL and L be two languages in NP and let R and R

b e binary relations characterizing L and L resp ectivelyWesay that the relation

R is Levinreducible to the relation R if there exist two p olynomialtime computable

functions f and g such that the following two conditions hold

standardrequirement x L if and only if f x L

additional requirementFor every x w R it holds that f xgw R

We call the ab ove reduction after Levin who up on discovering indep endently of

Co ok and Karp the existence of NPcomplete problem made a stronger denition

of a reduction which implies the ab ove Prove the following statements

Let L NP and let L b e the generic relation characterizing L ie x a non

deterministic machine M and let x w R if w is an accepting computation

L L

of M on input x Let R b e the standard relation characterizing SAT ie

L SAT

x w R if w is a truth assignment satisfying the CNF formula x Prove

SAT

that R is Levinreducible to R

L SAT

Let R b e as ab ove and let R b e dened analogously for SAT Prove

SAT SAT

that R is Levinreducibl e to R

SAT SAT

Let R b e as ab ove and let R b e the standard relation characterizing

SAT GC

GC ie x w R if w is a coloring of the graph x Prove that R

GC SAT

is Levinreducib le to R

Levinreductions are transitive

Exercise Prove the existence of a Karpreduction of L to SAT that when considered

as a function can b e inverted in p olynomialtime Same for the reduction of SAT to

SAT and the reduction of SAT to GC In fact the standard Karpreductions

have this prop erty

Exercise applications of Theorem Assuming the existence of nonuniformly one

way functions present solutions to the following cryptographic problems

Supp ose that party R received over a public channel a message encrypted using

its own publickey encryption Supp ose that the message consists of two parts

and party R wishes to reveal to everyb o dy the rst part of the message but not

the second Further supp ose that the other parties want a pro of that R indeed

revealed the correct contents of the rst part of its message

Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS

Supp ose that party S wishes to send party R a signature to a publicly known

do cument so that only R gets the signature but everyb o dy else can verify that

such a signature was indeed sentby S We assume that all parties share a public

channel

Supp ose that party S wishes to send party R a commitment to a partially sp eci

ed statement so that R remains oblivious of the unsp ecied part For example

S may wish to commit itself to some standard oer while keeping the amount

oered secret

Exercise on know ledge tightnessEvaluate the knowledge tightness of Construction

when applied logarithmically manytimes in paral lel

Exercise error reduction in computational ly sound proofs part Given a computa

for a language L construct a compu tionally sound pro of with error probability

tationally sound pro of with negligible error probabilityforL

Exercise error reduction in computational ly sound proofs part Construct a compu

tationally sound pro of that has negligible error probability ie smaller than pjxj

for every p olynomial p and suciently long inputs x but when rep eated sequentially

jxj

jxj times has error probability greater than We refer to the error probabilityin

the computational soundness condition

Exercise commitment schemes an impossibility result Prove that there exists no

twoparty proto col which simultaneously satises the p erfect secrecy requirementof

Denition and the information theoretic unambiguity requirement of Deni

tion

Exercise alternative formulation of blackbox zeroknow ledgeWesay that a proba

bilistic p olynomialtime oracle machine M is a blackb ox simulator for the prover P

and the language L if for every not necessarily uniform p olynomialsize circuit family

jxj

xg are indistinguishabl e fB g the ensembles fhP B ixg and fM

xL n xL

jxj

nNI

by nonuniform p olynomialsize circuits Namely for every p olynomialsize circuit

family fD g every p olynomial p all suciently large n and x f g L

nNI

jProb D hP B ix Prob D M x j

n n n

Prove that the current formulation is equivalent to the one presented in Denition

Exercise Prove that the proto col presented in Construction is indeed a blackb ox

zeroknowledge pro of system for GC

Guideline use the formulation presented ab ove