Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Chapter ZeroKnowledge Pro of Systems In this chapter we discuss zeroknowledge pro of systems Lo osely sp eaking such pro of systems have the remarkable prop erty of b eing convincing and yielding nothing b eyond the validity of the assertion The main result presented is a metho d to generate zero knowledge pro of systems for every language in NP This metho d can b e implemented using any bit commitmentscheme which in turn can b e implemented using any pseudorandom generator In addition we discuss more rened asp ects of the concept of zeroknowledge and their aect on the applicabili ty of this concept ZeroKnowledge Pro ofs Motivation An archetypical cryptographic problem consists of providing mutually distrustful parties with a means of exchanging predetermined pieces of information The setting consists of several parties each wishing to obtain some predetermined partial information concerning the secrets of the other parties Yet eachparty wishes to reveal as little information as p ossible ab out its own secret To clarify the issue let us consider a sp ecic example Supp ose that all users in a system keep backups of their entire le system encrypted using their publickey encryption in a publicly accessible storage media Supp ose that at some p oint one user called Alice wishes to reveal to another user called Bob the cleartext of one of her les which app ears in one of her backups A trivial solution is for Alice just to send the cleartext le to Bob The problem with this solution is that Bob has no wayofverifying that Alice really sent him a le from her public backup rather than just sending him an arbitrary le Alice can simply prove that she sends the correct le by revealing to Bob her private encryption keyHowever doing so will reveal to Bob the contents of all her les which is certainly something that Alice do es Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS not want to happ en The question is whether Alice can convince Bob that she indeed revealed the correct le without yielding any additional knowledge An analogous question can b e phrased formally as follows Let f b e a oneway permutationand b a hardcore predicate with resp ect to f Supp ose that one party A has a string x whereas another party denoted B onlyhasf x Furthermore supp ose that A wishes to reveal bxtoparty B without yielding any further information The trivial solution is to let A send bxtoB but as explained ab ove B will havenowayofverifying whether A has really sent the correct bit and not its complement Party A can indeed prove that it sends the correct bit ie bx by sending x as well but revealing x to B is much more than what A had originally in mind Again the question is whether A can convince B that it indeed revealed the correct bit ie bx without yielding any additional knowledge In general the question is whether it is possible to prove a statement without yielding anything beyond its validity Such pro ofs whenever they exist are called zeroknow ledge and play a central role as we shall see in the subsequentchapter in the construction of cryptographic proto cols Lo osely sp eaking zeroknow ledge proofs areproofs that yield nothing ie no knowl edge beyond the validity of the assertion In the rest of this intro ductory section we discuss the notion of a pro of and a p ossible meaning of the phrase yield nothing ie no knowledge b eyond something The Notion of a Pro of We discuss the notion of a pro of with the intention of uncovering some of its underlying asp ects A Pro of as a xed sequence or as an interactiveprocess Traditionally in mathematics a pro of is a xed sequence consisting of statements which are either selfevident or are derived from previous statements via selfevident rules Actu ally it is more accurate to substitute the phrase selfevident by the phrase commonly agreed In fact in the formal study of pro ofs ie logic the commonly agreed statements are called axioms whereas the commonly agreed rules are referred to as derivation rules We wish to stress two prop erties of mathematics pro ofs pro ofs are viewed as xed ob jects pro ofs are considered at least as fundamental as their consequence ie the theorem Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. ZEROKNOWLEDGE PROOFS MOTIVATION However in other areas of human activity the notion of a pro of has a much wider interpretation In particular a pro of is not a xed ob ject but rather a pro cess by which the validity of an assertion is established For example the crossexamination of a witness in court is considered a pro of in law and failure to answer a rivals claim is considered a pro of in philosophical p olitical and sometimes even technical discussions In addition in reallife situations pro ofs are considered secondary in imp ortance to their consequence To summarize in canonical mathematics pro ofs have a static nature eg they are written whereas in reallife situations pro ofs have a dynamic nature ie they are es tablished via an interaction The dynamic interpretation of the notion of a pro of is more adequate to our setting in which pro ofs are used as to ols ie subproto cols inside cryp tographic proto cols Furthermore the dynamic interpretation at least in a weak sense is essential to the nontriviality of the notion of a zeroknowledge pro of Prover and Verier The notion of a prover is implicit in all discussions of pro ofs b e it in mathematics or in reallife situations Instead the emphasis is placed on the verication process or in other words on the role of the verier Both in mathematics and in reallife situations pro ofs are dened in terms of the verication pro cedure Typically the verication pro cedure is considered to b e relatively simple and the burden is placed on the partyp erson supplying the pro of ie the prover The asymmetry b etween the complexity of the verication and the theoremproving tasks is captured by the complexity class NP which can b e viewed as a class of pro of systems Each language L NP has an ecientverication pro cedure for pro ofs of state ments of the form x L Recall that each L NP is characterized by a p olynomialtime recognizable relation R so that L L fx y st x y R g L and x y R only if jy j p oly jxj Hence the verication pro cedure for memb ership L claims of the form x L consists of applying the p olynomialtime algorithm for rec ognizing R to the claim enco ded by x and a prosp ective pro of denoted y Hence any L y satisfying x y R is considered a proof of memb ership of x L Hence correct L statements ie x L and only them have pro ofs in this pro of system Note that the ver ication pro cedure is easy ie p olynomialtime whereas coming up with pro ofs may b e dicult It is worthwhile to stress the distrustful attitude towards the prover in any pro of system If the verier trusts the prover then no pro of is needed Hence whenever discussing a pro of system one considers a setting in which the verier is not trusting the prover and furthermore is skeptic of anything the prover says Extracted from a working draft of Goldreich’s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. CHAPTER ZEROKNOWLEDGE PROOF SYSTEMS Completeness and Validity Two fundamental prop erties of a pro of system ie a verication pro cedure are its validity and completeness The validity prop erty asserts that the verication pro cedure cannot b e tricked into accepting false statements In other words validity captures the verier ability of protecting itself from b eing convinced of false statements no matter what the prover do es in order to fo ol it On the other hand completeness captures the abilityof some prover to convince the verier of true statements b elonging to some predetermined set of true statements Note that b oth prop erties are essential to the very notion of a pro of system We remark here that not every set of true statements has a reasonable pro of system in which each of these statements can b e proven while no false statement can b e proven This fundamental fact is given a precise meaning in results suchasGodels Incompleteness Theorem and Turings pro of of the unsolvability of the Halting Problem We stress that in this chapter we conne ourself to the class of sets that do have ecient pro of systems In fact Section is devoted to discussing and formulating the concept of ecient pro of systems Jumping ahead we hint that the eciency of a pro of system will b e asso ciated with the eciency of its verication pro cedure Gaining Knowledge Recall that wehavemotivated zeroknowledge pro ofs as pro ofs by which the verier gains no knowledge b eyond the validity of the assertion The reader mayrightfully wonder what is knowledge and what is a gain of knowledge When discussing zeroknowledge pro ofs weavoid the rst question which is quite complex and treat the second question directly Namely without presenting a denition of knowledge we present a generic case in whichit is certainly justied to say that no knowledge is gained Fortunately this conservative approach seems to suce as far as cryptography is concerned Tomotivate the denition of zeroknowledge consider a conversation b etween two par ties Alice and Bob Assume rst that this conversation is unidirectional sp ecically Alice only talks and Bob only listens Clearlywecansay that Alice gains no knowledge from the conversation On the other hand Bob mayormay not gain