Abstract
We initiate a study of super-perfect zero-knowledge proof systems. Loosely speaking, these are proof systems for which the interaction can be perfectly simulated in strict probabilistic polynomial-time. In contrast, the standard definition of perfect zero-knowledge only requires that the interaction can be perfectly simulated by a strict probabilistic polynomial-time that is allowed to fail with probability at most one half.
We show that two types of perfect zero-knowledge proof systems can be transformed into super-perfect ones. The first type includes the perfect zero-knowledge interactive proof system for Graph Isomorphism and other systems of the same form, including perfect zero-knowledge arguments for NP. The second type refers to perfect non-interactive zero-knowledge proof systems. We also present a super-perfect non-interactive zero-knowledge proof system for the set of Blum integers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that this definition of perfect zero-knowledge implies that a perfect simulation can be generated in expected (probabilistic) polynomial-time, but the latter does not imply the former. Also recall that the issue does not arise for statistical zero-knowledge, since the failure probability can be made exponentially vanishing (by repeated trials), and then absorbed in the statistical deviation of the simulation. Ditto for computational zero-knowledge.
- 2.
- 3.
We are only aware of the perfect NIZK arguments of Groth et al. [16], but these are in a more liberal model that allows the common reference string to be distributed according to any efficiently sampleable distribution.
- 4.
One can generate the uniform distribution over [n] by selecting at random a uniformly distributed \(r\in [2^{\log _2{\lceil n\rceil }}]\), outputting r if \(r\in [n]\), and announcing failure otherwise.
- 5.
We denote the input length by \(\ell \), rather than by n, in order to avoid confusion with Sect. 5 where n denotes a large integer (which is part of the input).
- 6.
Specifically, for any polynomial p, all sufficiently long \(x\not \in S\), and any strategy \(P^*\) that can be implemented by a circuit of size at most p(|x|), it holds that \(\mathbf{Pr}[{\langle {P^*,V}\rangle }(x)=1]\le {\epsilon _\mathrm{s}}(|x|)\).
- 7.
But, again, perfect completeness is lost.
- 8.
Again, the derived systems have exponentially vanishing completeness error.
- 9.
Specifically, the perfect ZK feature of their argument system is demonstrated using Barak’s (non-black-box) simulation technique [3, 4], whereas such a demonstration actually yields a super-perfect simulator. This is the case because the simulation (constructed according to Barak’s technique) amounts to executing the same protocol as the honest prover, while using the verifier’s program as a NP-witness to a composed tatement that the honest prover proves by using an NP-witness to the actual input. The need to use the non-standard model of PPT arises because in the known proof systems (e.g., [19]) the honest prover samples uniformly sets that have size that is not a power of 2.
- 10.
Specifically, Condition 2 requires perfect simulation of the interaction with P in case of non-failure, which is the standard requirement of perfect ZK, whereas Condition 1 requires that failure occurs with probability exactly 1/2 (rather than at most 1/2).
- 11.
Indeed, the perfect ZK argument system for \(\mathcal{NP}\) based on 3-Colorability requires that the prover and simulator sample a random permutation of 3 elements. Furthermore, the simulator fails with probability exactly 1/3, for every input and every probabilistic polynomial-time strategy \(V^*\).
- 12.
Note that in some sources (e.g. [10, Sec. 4.4.1]) the perfect binding property of commitment schemes only requires that the supports of C(1) and C(0) intersect on a set of negligible size, while we require that the supports of C(0) and C(1) are totally disjoint.
- 13.
Indeed, by Definition 3.4, the output of \(A^{**}(x)\) has the form \((0,\alpha )\), with probability 1/2, and \((1,\alpha \beta )\) otherwise.
- 14.
Indeed, in this case the construction can be simplified. We may use a common reference string of the form \((\omega ,\sigma )\in \{0,1\}^{\rho (\ell )+1}\), have the prover output \(P(x,\omega )\) if and only if \(\sigma =1\), and have the verifier accept if either \(\sigma =0\) or \(V(x,\omega ,y)\), where y denotes the alleged proof.
- 15.
See Step 3. In addition, Steps 1 and 2 take care of other pathological cases. The main action takes place in Step 4.
- 16.
This is the case since if \(n=p^en'\not \in B\) for \(e\ge 1\) and an odd prime \(p\in [\ell ]\) that does not divide \(n'\), then either \(n'\) is not a prime power or the prime factorization of n is found in Step 2 leading the verifier to reject.
- 17.
This presumption holds trivially when referring either to the honest-verifier version or to the NIZK version.
References
Agrawal, M., Kayal, N., Saxena, N.: PRIMES is in P. Ann. Math. 160(2), 781–793 (2004)
Alexi, W., Chor, B., Goldreich, O., Schnorr, C.P.: RSA/Rabin functions: certain parts are as hard as the whole. SIAM J. Comput. 17, 194–209 (1988)
Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd IEEE Symposium on Foundations of Computer Science, pp. 106–115 (2001)
Barak, B.: Non-black-box techniques in crypptography. Ph.D. thesis, Weizmann Institute of Science (2004)
Bellare, M., Impagliazzo, R., Naor, M.: Does parallel repetition lower the error in computationally sound protocols? In: 38th IEEE Symposium on Foundations of Computer Science, pp. 374–383 (1997)
Blum, M., De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge proof systems. SIAM J. Comput. 20(6), 1084–1118 (1991). (Considered the journal version of [7].)
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: 20th ACM Symposium on the Theory of Computing, pp. 103–112 (1988). See [6]
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988). Preliminary version by Brassard and Crépeau in 27th FOCS, 1986
Fürer, M., Goldreich, O., Mansour, Y., Sipser, M., Zachos, S.: On completeness and soundness in interactive proof systems. In: Micali, S., (ed.) Randomness and Computation. Advances in Computing Research: A Research Annual, vol. 5, pp. 429–442 (1989)
Goldreich, O.: Foundation of Cryptography: Basic Tools. Cambridge University Press, Cambridge (2001)
Goldreich, O.: Foundation of Cryptography: Basic Applications. Cambridge University Press, Cambridge (2004)
Goldreich, O.: Computational Complexity: A Conceptual Perspective. Cambridge University Press, Cambridge (2008)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991). Preliminary version in 27th FOCS, 1986
Goldreich, O., Sahai, A., Vadhan, S.: Can statistical zero knowledge be made non-interactive? Or on the relationship of SZK and NISZK. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 467–484. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_30
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Computi. 18, 186–208 (1989). Preliminary version in 17th STOC, 1985. Earlier versions date to 1982
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_21
Lautemann, C.: BPP and the polynomial hierarchy. Inf. Process. Lett. 17, 215–217 (1983)
Malka, L.: How to achieve perfect simulation and a complete problem for non-interactive perfect zero-knowledge. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 89–106. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_6
Naor, M., Ostrovsky, R., Venkatesan, R., Yung, M.: Zero-knowledge arguments for NP can be based on general assumptions. J. Cryptol. 11, 87–108 (1998). Preliminary version in Crypto92
Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. SIAM J. Comput. 38(2), 702–752 (2008)
Pass, R., Rosen, A.: Concurrent non-malleable commitments. SIAM J. Comput. 37(6), 1891–1925 (2008)
Sahai, A., Vadhan, S.: A complete promise problem for statistical zero-knowledge. J. ACM 50(2), 196–249 (2003). Preliminary version in 38th FOCS, 1997
Vadhan, S.: A study of statistical zero-knowledge proofs. Ph.D. thesis, Department of Mathematics, MIT (1999). See http://people.seas.harvard.edu/~salil/research/phdthesis.pdf
Acknowledgments
We are grateful to Alon Rosen and Amit Sahai for useful discussions. This research was partially supported by the Minerva Foundation with funds from the Federal German Ministry for Education and Research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Goldreich, O., Teichner, L. (2020). Super-Perfect Zero-Knowledge Proofs. In: Goldreich, O. (eds) Computational Complexity and Property Testing. Lecture Notes in Computer Science(), vol 12050. Springer, Cham. https://doi.org/10.1007/978-3-030-43662-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-43662-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43661-2
Online ISBN: 978-3-030-43662-9
eBook Packages: Computer ScienceComputer Science (R0)