More on zero knowledge

Since zero knowledge was invented in the mid-eighties, the literature about it was so abundant that it exceeded 400 publications. In this subsection, we will concentrate on the aspects of this notion that are relevant for this thesis.

Further definitions (Σ protocols)

A public-coin protocol is a protocol in which the verifier chooses all its messages randomly from publicly known sets. A three-move protocol can be written in a canonical form in which the messages sent in the three moves are often called commitment, challenge, and response. The protocol is said to have the honest-verifier zero-knowledge property (HVZK) if there exists an algorithm that is able, provided the verifier behaves as prescribed by the protocol, to produce, without the knowledge of the secret, transcripts that are indistinguishable from those of the real protocol. The protocol is said to have the special soundness property (SSp) if there exists an algorithm that is able to extract the secret from two accepting transcripts of the protocol with the same commitment and different challenges. Finally, a three-move public-coin protocol with both the HVZK and SSp properties is called aΣ protocol.

Round efficiency

As mentioned in the previous subsection, the soundness error in Schnorr’s identification protocol amounts to2−ℓ_{, whereℓ is a factor logarithmic in the security parameter log d. In order to reduce}

this error probability to a negligibly small quantity, i.e. a quantity smaller than 1/log dc for all constants c, we can repeat the protocol log d many times. Such a protocol is then called a log-

round protocol which is characterized by a number of rounds linear in the security parameter.

There exists also the category of protocols which need to be repeated a polynomial factor (in the security parameter log d) of rounds. We talk then about poly-round protocols. Examples of these protocols are for instance those proving the validity of a general NP statement via a general polynomial reduction to a NP-complete problem.

Sequential vs concurrent zero knowledge

We addressed in the previous paragraph the possibility of repeating many times a proof of knowl- edge in order to reduce its soundness error. This repetition can be sequential or in parallel. The natural question to ask is whether the zero knowledge feature is preserved or not. The good news is that zero knowledge is closed under sequential repetition of the protocol (see [Goldreich, 2001,

Chapter 4, Paragraph 4.3.4] for the proof), which means that we can indefinitely reduce the sound- ness error of a protocol without compromising its zero knowledgeness. Parallel composition is not however guaranteed to preserve zero knowledge. Less is the concurrent composition which generalizes both sequential and parallel composition; in this composition, many instances of the protocol are invoked at arbitrary times and proceed at arbitrary pace. This composition turns out to be of significant importance in many real life applications. Fortunately, there exists a result [Damg˚ard, 2000] that shows that a wide range of known zero knowledge protocols, e.g. Σ pro- tocols, can be modified with negligible loss of efficiency to preserve zero knowledgeness under concurrent composition.

Non-interactive zero knowledge (NIZK)

This notion, introduced in [Blum et al., 1988], consists of a prover who tries to convince a verifier of the validity of some assertion in one move, i.e. without interaction with the verifier. The basic zero knowledge requirement for such proofs consists in exhibiting an efficient simulator outputting messages indistinguishable from the prover’s. It is worth noting here that the definition of the zero knowledge requirement for these proofs is simplified because the verifier cannot affect the prover’s actions.

The most famous technique to obtain NIZK from their interactive variants is known as the Fiat-Shamir paradigm [Fiat & Shamir, 1986]. It consists of letting the prover compute the ver- ifier’s challenge himself as a hash of the statement to be proved and of the first message. The security of this construction is provided only in the random oracle model, which constitutes its major shortcoming. In fact, it is not in general possible to instantiate the random oracle with a concrete function and have the security properties preserved.

A recent method is due to Damg˚ard et al. [Damg˚ard et al., 2006]. It transforms a 3-move interactive ZK protocolP with linear answer to a non-interactive ZK one (NIZK) using a homo- morphic encryption scheme in a registered key model, i.e. in a model where the verifier registers his key. More precisely, let a be the first message computed by the prover in P , c ∈ N be the challenge sent by the verifier, and finally letz = u + cv be the answer computed by the prover in the third step, where u, v _{∈ N. Let further Γ denote a homomorphic encryption scheme such} that Γ.encrypt(m + m′_{) = Γ.encrypt(m) · Γ.encrypt(m}′_{), where m and m}′ _{are integer values}

in a suitable range. If the verifier chooses a key pair (Γ.pk, Γ.sk) and publishes an encryption e of the challenge c, then the prover can compute a as usual, Γ.encrypt(z) as Γ.encrypt(u)ev_{, and}

sends these quantities to the verifier in one pass. The verifier decrypts Γ.encrypt(z) to obtain z and checks whether(a, c, z) is an accepting transcript. The authors in [Damg˚ard et al., 2006] pro- posed an efficient illustration using Paillier’s encryption and the proof of equality of two discrete logarithms.