Zero-Knowledge

In the interactive proof system based on a public-key cryptosystem, which we discussed above, a dishonest verifier Vic can decrypt Peggy’s cryptograms by interacting with Peggy. Since Vic is not able to decrypt them without interaction, he learns something new by interacting with Peggy. He obtains

knowledgefrom Peggy. This is not desirable, because it might violate Peggy’s security requirements as our example shows. It is desirable that interactive proof systems are designed so that no knowledge is transferred from the prover to the verifier. Such proof systems are called zero-knowledge. Informally, an interactive proof system is called zero-knowledge if whatever the verifier can efficiently compute after interacting with the prover, can be efficiently simu- lated without interaction. Below we define the zero-knowledge property more formally.

We denote the algorithm that the honest prover Peggy executes by P, the algorithm of an honest verifier by V and the algorithm of a general (possibly dishonest) verifier by V∗_{. The interactive proof system (including}

the interaction betweenP andV) is denoted by (P, V). Peggy knows a secret about some objectx(e.g. as in the Fiat-Shamir example in Protocol 4.5, the root of a squarex). This objectxis the common input toP andV.

Each algorithm is assumed to have polynomial running time. It may be partly controlled by random events, i.e., it has access to a source of random bits and thus can make random choices. Such algorithms are called proba- bilistic algorithms. We study this notion in detail in Chapter 5.

Letxbe the common input of (P, V). Suppose, the interactive proof takes

nmoves. A message is sent in each move. For simplicity, we assume that the prover starts with the first move. We denote bymi the message sent in the

i-th move. The messagesm1, m3, . . . are sent from the prover to the verifier and the messages m2, m4, . . . are sent from the verifier to the prover. The

transcript of the joint computation ofP andV∗ _{on inputxis defined by} trP,V∗(x) := (m₁, . . . , m_n),

wheretrP,V∗(x) is called an accepting transcript ifV∗ accepts after the last move. Note that the transcript trP,V∗(x) depends on the random bits that the algorithmsP andV∗ _{choose. Thus, it is not determined by the inputx.}

Definition 4.6. An interactive proof system (P, V) is (perfect) zero-know- ledge if there is a probabilisticsimulator S(V∗_{, x), running in expected poly-}

nomial time, which for every verifierV∗_{(honest or not) outputs on inputxan}

distributed in the same way as if they were generated by the honest prover

P andV∗_.

Remark.The definition of zero-knowledge includes all verifiers (also the dis- honest ones). Hence, zero-knowledge is a property of the proverP. It captures the prover’s security requirements against attempts to gain “knowledge” by interacting with him.

To understand the definition, we have to clarify what a simulator is. A simulatorSis an algorithm which, given some verifierV∗_{, honest or not, gen-}

erates valid accepting transcripts for (P, V∗_{), without communicating with}

the real proverP. In particular,Sdoes not have any access to computations that rely on the prover’s secret. Trying to produce an accepting transcript,

S plays the role of P in the protocol and communicates withV∗_{. Thus, he}

obtains outgoing messages ofV∗ _{which are compliant with the protocol. His}

task is to fill into the transcript the messages going out fromP. SinceP com- putes these messages by use of her secret and S does not know this secret,

S applies his own strategy to generate the messages. Necessarily, his proba- bility of obtaining a valid transcript in this way is significantly less than 1. Otherwise, with high probability,S could falsely convinceV∗ _{that he knows}

the secret, and the proof system is not sound. Thus, not every attempt of S

to produce an accepting transcript is successful; he fails in many cases. Nev- ertheless, by repeating his attempts sufficiently often, the simulator is able to generate a valid accepting transcript. It is required that the expectation value of the running time which S needs to get an accepting transcript is bounded by a polynomial in the binary length|x|of the common input x.2

To be zero-knowledge, the ability to produce accepting transcripts by a simulation is not sufficient. The generation of transcripts, real or simulated, includes random choices. Thus, we have a probability distribution on the set of accepting transcripts. The last condition in the definition means that the probability distribution of the transcripts that are generated by the simulator

SandV∗_{is the same as if they were generated by the honest proverPandV}∗_.

Otherwise, the distribution of transcripts might contain information about the secret and thus reveal some ofP’s knowledge.

In the following, we will illustrate the notion of zero-knowledge and the simulation of a prover by the simplified version of the Fiat-Shamir identifi- cation (Protocol 4.5).

Proposition 4.7. The simplified version of the Fiat-Shamir identification scheme is zero-knowledge.

Proof. The set of accepting transcripts is

T(x) :={(a, e, b)∈QRn× {0,1} ×Z∗n|b2=axe}.

LetV∗ _{be a general (honest or cheating) verifier. Then, a simulatorS with}

the desired properties is given by the following algorithm.

4.2 Identification Schemes 97

Algorithm 4.8.

transcriptS(algorithmV∗_{, intx)}

1 repeat 2 select ˜e∈ {0,1}and ˜b∈Z∗ n uniformly at random 3 ˜a←˜b2_x−˜e 4 e←V∗_(˜a) 5 untile= ˜e 6 return (˜a,e,˜˜b)

The simulatorS uses the verifierV∗ _{as a subroutine to get the challenge} e.S tries to guessein advance. IfSsucceeded in guessinge, he can produce a valid transcript (˜a,e,˜˜b).S cannot produce eby himself, because V∗ _{is an}

arbitrary verifier. Therefore,V∗ _{possibly does not generate the challengese}

randomly, as it is specified in (P, V), andSmust callV∗_{to gete. Independent}

of the strategy that V∗ _{uses to output e, the guess ˜e coincides with ewith}

a probability of1_{/2. Namely, if V}∗ _{outputs 0 with a probability of pand 1}

with a probability of 1−p, the probability thate= 0 and ˜e= 0 isp_{/2, and}

the probability thate= 1 and ˜e= 1 is(1−p)_{/2. Hence, the probability that}

one of both events occurs is1_/2.

The expectation is thatS will produce a result after two iterations of the while loop (see Lemma B.12). An element (˜a,e,˜˜b)∈ T returned byScannot be distinguished from an element (a, e, b) produced by (P, V∗_):

1. aand ˜aare random quadratic residues in QR_n. 2. eand ˜eare distributed according toV∗_.

3. b and ˜bare random square roots.

This concludes the proof of the proposition. 2