|
|
| Line 1: |
Line 1: |
| In [[cryptography]], a '''zero-knowledge proof''' or '''zero-knowledge protocol''' is a method by which one party (the ''prover'') can prove to another party (the ''verifier'') that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true. For cases where the ability to prove the statement requires some secret information on the part of the prover, the definition implies that the verifier will not be able to prove the statement to anyone else. Notice that the notion only applies if the statement being proven is the fact that the prover has such knowledge (otherwise, the statement would not be proved in zero-knowledge, since at the end of the protocol the verifier would gain the additional information that the prover has knowledge of the required secret information). This is a particular case known as ''zero-knowledge proof of knowledge'', and it nicely illustrates the essence of the notion of zero-knowledge proofs: proving that one possesses a certain knowledge is in most cases trivial if one is allowed to simply reveal that knowledge; the challenge is proving that one has such knowledge without revealing it or without revealing anything else.
| | Contented to meet you! My husband and my name is Eusebio and I think it sounds quite good when say it. My bungalow is now in Vermont and I don't [http://Photo.net/gallery/tag-search/search?query_string=program program] on changing it. Software rising has been my new day job for a but. To cook is the only pastime my wife doesn't agree to. I'm not good at webdesign but you might feel the need to check my website: http://circuspartypanama.com<br><br> |
|
| |
|
| For zero-knowledge proofs of knowledge, the protocol must necessarily require interactive input from the verifier, usually in the form of a challenge or challenges such that the responses from the prover will convince the verifier if and only if the statement is true (i.e., if the prover does have the claimed knowledge). This is clearly the case, since otherwise the verifier could record the execution of the protocol and replay it to someone else: if this were accepted by the new party as proof that the replaying party knows the secret information, then the new party's acceptance is either justified - the replayer 'does' know the secret information - which means that the protocol leaks knowledge and is not zero-knowledge, or it is spurious - i.e. leads to a party accepting someone's proof of knowledge who does not actually possess it.
| | Also visit my page; [http://circuspartypanama.com clash of clans Hack no survey or Password] |
| | |
| Some forms of non-interactive zero-knowledge proofs of knowledge exist,<ref name="noninteractive">{{cite paper |first=Manuel |last=Blum |first2=Paul |last2=Feldman |first3=Silvio |last3=Micali |title=Non-Interactive Zero-Knowledge and Its Applications |work=Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988) |pages=103–112 |year=1988 |doi=10.1145/62212.62222 }}</ref> but the validity of the proof relies on computational assumptions (typically the assumptions of an ideal [[cryptographic hash function]]).
| |
| | |
| == Abstract example ==
| |
| {{multiple image
| |
| | align = right
| |
| | direction = vertical
| |
| | header =
| |
| | width = 150
| |
| | image1 = Zkip alibaba1.png
| |
| | caption1 = Peggy randomly takes either path A or B, while Victor waits outside
| |
| | image2 = Zkip alibaba2.png
| |
| | caption2 = Victor chooses an exit path
| |
| | image3 = Zkip alibaba3.png
| |
| | caption3 = Peggy reliably appears at the exit Victor names
| |
| }}
| |
| There is a well-known story presenting the fundamental ideas of zero-knowledge proofs, first published by [[Jean-Jacques Quisquater]] and others in their paper "How to Explain Zero-Knowledge Protocols to Your Children".<ref>{{cite paper |first=Jean-Jacques |last=Quisquater |first2=Louis C. |last2=Guillou |first3=Thomas A. |last3=Berson |title=How to Explain Zero-Knowledge Protocols to Your Children |work=Advances in Cryptology - CRYPTO '89: Proceedings |volume=435 |issue= |pages=628–631 |year=1990 |url=http://www.cs.wisc.edu/~mkowalcz/628.pdf }}</ref> It is [[Alice and Bob|common practice]] to label the two [[characters in cryptography|parties]] in a zero-knowledge proof as Peggy (the prover of the statement) and Victor (the verifier of the statement).
| |
| | |
| In this story, Peggy has uncovered the secret word used to open a magic door in a cave. The cave is shaped like a circle, with the entrance on one side and the magic door blocking the opposite side. Victor wants to know whether Peggy knows the secret word; but Peggy, being a very private person, does not want to reveal the fact of her knowledge to the world in general.
| |
| | |
| They label the left and right paths from the entrance A and B. First, Victor waits outside the cave as Peggy goes in. Peggy takes either path A or B; Victor is not allowed to see which path she takes. Then, Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random. Providing she really does know the magic word, this is easy: she opens the door, if necessary, and returns along the desired path.
| |
| | |
| However, suppose she did not know the word. Then, she would only be able to return by the named path if Victor were to give the name of the same path that she had entered by. Since Victor would choose A or B at random, she would have a 50% chance of guessing correctly. If they were to repeat this trick many times, say 20 times in a row, her chance of successfully anticipating all of Victor's requests would become vanishingly small (about one in 1.05 million).
| |
| | |
| Thus, if Peggy repeatedly appears at the exit Victor names, he can conclude that it is very probable — astronomically probable — that Peggy does in fact know the secret word.
| |
| | |
| However, even if Victor is wearing a hidden camera that records the whole transaction, the only thing the camera will record is Victor shouting "A!" and Peggy appearing at A; Victor shouting "B!" and Peggy appearing at B. A recording of this type would be trivial for any two people to fake (requiring only that Peggy and Victor agree beforehand on the sequence of A's and B's that Victor will shout). Such a recording will certainly never be convincing to anyone but the original participants. In fact, even a person who was present as an observer ''at the original experiment'' would be unconvinced, since Victor and Peggy might have orchestrated the whole "experiment" from start to finish.
| |
| | |
| Notice that if Victor chooses his A's and B's by flipping a coin on-camera, this protocol loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any person watching the recording later. However, digital cryptography generally "flips coins" by relying on a [[pseudo-random number generator]], which is akin to a coin with a fixed pattern of heads and tails known only to the coin's owner. If Victor's coin behaved this way, then again it would be possible for Victor and Peggy to have faked the "experiment".
| |
| | |
| == Definition ==
| |
| | |
| A zero-knowledge proof must satisfy three properties:
| |
| # '''Completeness''': if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.
| |
| # '''Soundness''': if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.
| |
| # '''Zero-knowledge''': if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some ''simulator'' that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.
| |
| | |
| The first two of these are properties of more general [[interactive proof system]]s. The third is what makes the proof zero-knowledge.
| |
| | |
| Zero-knowledge proofs are not proofs in the mathematical sense of the term because there is some small probability, the ''soundness error'', that a cheating prover will be able to convince the verifier of a false statement. In other words, they are probabilistic rather than deterministic. However, there are techniques to decrease the soundness error to negligibly small values.
| |
| | |
| A formal definition of zero-knowledge has to use some computational model, the most common one being that of a [[Turing machine]]. Let <math>P</math>,<math>V</math>, and <math>S</math> be turing machines. An [[interactive proof system]] with <math>(P,V)</math> for
| |
| a language <math>L</math> is zero-knowledge if for any probabilistic polynomial time (PPT) verifier <math>\hat V</math> there exists an expected PPT simulator <math>S</math> such that <br>
| |
| <math>\forall x \in L, z \in \{0, 1\}^{*}, \text{View}_{\hat V} [P(x) \leftrightarrow \hat V(x, z)] = S(x, z)</math>
| |
| | |
| The prover <math>P</math> is modeled as having unlimited computation power (in practice, P usually is a [[Probabilistic Turing machine]]). Intuitively, the definition states that an interactive proof system <math>(P,V)</math> is zero-
| |
| knowledge if for any verifier <math>\hat V</math> there exists an efficient simulator <math>S</math> that can
| |
| reproduce the conversation between <math>P</math> and <math>\hat V</math>
| |
| on any given input.
| |
| The auxiliary string <math>z</math> in the definition plays the role of “prior knowledge”. The definition implies that <math>\hat V</math> cannot use any
| |
| prior knowledge string <math>z</math> to mine information out of its conversation with <math>P</math> because we
| |
| demand that if <math>S</math> is also given this prior knowledge then it can reproduce the conversation
| |
| between <math>\hat V</math> and <math>P</math> just as before.
| |
| | |
| The definition given is that of perfect zero-knowledge. Computational zero-knowledge is obtained by requiring that the views of the verifier <math>\hat V</math> and the simulator are only [[Computational indistinguishability|computationally indistinguishable]], given the auxiliary string.
| |
| | |
| == Practical examples ==
| |
| | |
| === Discrete Log of a given value ===
| |
| | |
| We can extend these ideas to a more realistic cryptography application. Peggy wants to prove to Victor that she knows the [[discrete logarithm|discrete log]] of a given value in a given [[group theory|group]].<ref>{{cite paper |first=David |last=Chaum |first2=Jan-Hendrik |last2=Evertse |first3=Jeroen |last3=van de Graaf |title=An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations |work=Advances in Cryptology - EuroCrypt '87: Proceedings |volume=304 |issue= |pages=127–141 |year=1987 }}</ref> For example, given a value <math>y</math>, a large [[Prime number|prime]] <math>p</math> and a generator <math>g</math>, she wants to prove that she knows a value <math>x</math> such that <math>g^x ~\bmod~ p = y</math>, without revealing <math>x</math>. This could be used as a proof of identity, in that Peggy could have such knowledge because she chose a random value <math>x</math> that she didn't reveal to anyone, computed <math>y = g^x ~\bmod~ p</math> and distributed the value of <math>y</math> to all potential verifiers, such that at a later time, proving knowledge of <math>x</math> is equivalent to proving identity as Peggy.
| |
| | |
| The protocol proceeds as follows: in each round, Peggy generates a random number <math>r</math>, computes <math>C = g^r ~\bmod~ p</math> and discloses this to Victor. After receiving <math>C</math>, Victor randomly issues one of the following two requests: he either requests that Peggy discloses the value of <math>r</math>, or the value of <math>x+r ~\bmod~ (p-1)</math>. With either answer, Peggy is only disclosing a random value, so no information is disclosed by a correct execution of one round of the protocol.
| |
| | |
| Victor can verify either answer; if he requested <math>r</math>, he can then compute <math>g^r ~\bmod~ p</math> and verify that it matches <math>C</math>. If he requested <math>x+r ~\bmod~ (p-1)</math>, he can verify that <math>C</math> is consistent with this, by computing <math>g^{x+r ~\bmod~ (p-1)} ~\bmod~ p</math> and verifying that it matches <math>C \cdot y ~\bmod~ p</math>. If Peggy indeed knows the value of <math>x</math>, she can respond to either one of Victor's possible challenges.
| |
| | |
| If Peggy knew or could guess which challenge Victor is going to issue, then she could easily cheat and convince Victor that she knows <math>x</math> when she does not: if she knows that Victor is going to request <math>r</math>, then she proceeds normally: she picks <math>r</math>, computes <math>C = g^r ~\bmod~ p</math> and discloses <math>C</math> to Victor; she will be able to respond to Victor's challenge. On the other hand, if she knows that Victor will request <math>x+r ~\bmod~ (p-1)</math>, then she picks a random value <math>r'</math>, computes <math>C' = g^{r'} \cdot {(g^x)}^{-1} ~\bmod~ p</math>, and disclose <math>C'</math> to Victor as the value of <math>C</math> that he is expecting. When Victor challenges her to reveal <math>x+r ~\bmod~ (p-1)</math>, she reveals <math>r'</math>, for which Victor will verify consistency, since he will in turn compute <math>g^{r'} ~\bmod~ p</math>, which matches <math>C' \cdot y</math>, since Peggy multiplied by the inverse of <math>y</math>.
| |
| | |
| However, if in either one of the above scenarios Victor issues a challenge other than the one she was expecting and for which she manufactured the result, then she will be unable to respond to the challenge under the assumption of infeasibility of solving the discrete log for this group. If she picked <math>r</math> and disclosed <math>C = g^r ~\bmod~ p</math>, then she will be unable to produce a valid <math>x+r ~\bmod~ (p-1)</math> that would pass Victor's verification, given that she does not know <math>x</math>. And if she picked a value <math>r'</math> that poses as <math>x+r ~\bmod~ (p-1)</math>, then she would have to respond with the discrete log of the value that she disclosed — a value that she obtained through arithmetic with known values, and not by computing a power with a known exponent.
| |
| | |
| Thus, a cheating prover has a 0.5 probability of successfully cheating in one round. By executing a large enough number of rounds, the probability of a cheating prover succeeding can be made arbitrarily low.
| |
| | |
| === Hamiltonian cycle for a large graph ===
| |
| | |
| In this scenario, Peggy knows a [[Hamiltonian path|Hamiltonian cycle]] for a large [[Graph (mathematics)|graph]], ''G''. Victor knows ''G'' but not the cycle (e.g., Peggy has generated ''G'' and revealed it to him.) Finding a Hamiltonian cycle given a large graph is believed to be infeasible, since its corresponding decision version is known to be [[NP-complete]]. Peggy will prove that she knows the cycle without simply revealing it (perhaps Victor is interested in buying it but wants verification first, or maybe Peggy is the only one who knows this information and is proving her identity to Victor).
| |
| | |
| To show that Peggy knows this Hamiltonian cycle, she and Victor play several rounds of a game.
| |
| | |
| * At the beginning of each round, Peggy creates ''H'', an [[graph isomorphism|isomorphic graph]] to ''G'' (i.e. ''H'' is just like ''G'' except that all the vertices have different names). Since it is trivial to translate a Hamiltonian cycle between isomorphic graphs with known isomorphism, if Peggy knows a Hamiltonian cycle for ''G'' she also must know one for ''H''.
| |
| * Peggy commits to ''H''. She could do so by using a cryptographic [[commitment scheme]]. Alternatively, she could number the vertices of ''H'', then for each edge of ''H'' write a small piece of paper containing the two vertices of the edge and then put these pieces of paper upside down on a table. The purpose of this commitment is that Peggy is not able to change ''H'' while at the same time Victor has no information about ''H''.
| |
| *Victor then randomly chooses one of two questions to ask Peggy. He can either ask her to show the isomorphism between ''H'' and ''G'' (see [[graph isomorphism problem]]), or he can ask her to show a Hamiltonian cycle in ''H''.
| |
| *If Peggy is asked to show that the two graphs are isomorphic, she first uncovers all of ''H'' (e.g. by turning all pieces of papers that she put on the table) and then provides the vertex translations that map ''G'' to ''H''. Victor can verify that they are indeed isomorphic.
| |
| *If Peggy is asked to prove that she knows a Hamiltonian cycle in ''H'', she translates her Hamiltonian cycle in ''G'' onto ''H'' and only uncovers the edges on the Hamiltonian cycle. This is enough for Victor to check that ''H'' does indeed contain a Hamiltonian cycle.
| |
| | |
| ;Completeness:
| |
| If Peggy is honest, she can easily satisfy Victor's demand for either a graph isomorphism (which she has) or a Hamiltonian cycle (which she can construct by applying the isomorphism to the cycle in ''G'').
| |
| | |
| ;Zero-Knowledge:
| |
| Peggy's answers do not reveal the original Hamiltonian cycle in ''G''. Each round, Victor will learn only ''H'''s isomorphism to ''G'' or a Hamiltonian cycle in ''H''. He would need both answers for a single ''H'' to discover the cycle in ''G'', so the information remains unknown as long as Peggy can generate a distinct ''H'' every round. If Peggy does not know of a Hamiltonian Cycle in ''G'', but somehow knew in advance what Victor would ask to see each round then she could cheat. For example, if Peggy knew ahead of time that Victor would ask to see the Hamiltonian Cycle in ''H'' then she could generate a Hamiltonian cycle for an unrelated graph. Similarly, if Peggy knew in advance that Victor would ask to see the isomorphism then she could simply generate an isomorphic graph ''H'' (in which she also does not know a Hamiltonian Cycle). Victor could simulate the protocol by himself (without Peggy) because he knows what he will ask to see. Therefore, Victor gains no information about the Hamiltonian cycle in ''G'' from the information revealed in each round.
| |
| | |
| ;Soundness:
| |
| If Peggy does not know the information, she can guess which question Victor will ask and generate either a graph isomorphic to ''G'' or a Hamiltonian cycle for an unrelated graph, but since she does not know a Hamiltonian cycle for ''G'' she cannot do both. With this guesswork, her chance of fooling Victor is 2<sup >−<var >n</var ></sup >, where <var >n</var > is the number of rounds. For all realistic purposes, it is infeasibly difficult to defeat a zero knowledge proof with a reasonable number of rounds in this way.
| |
| | |
| ==Variants of zero-knowledge==
| |
| Different variants of zero-knowledge can be defined by formalizing the intuitive concept of what is meant by the output of the simulator "looking like" the execution of the real proof protocol in the following ways:
| |
| | |
| * We speak of ''perfect zero-knowledge'' if the distributions produced by the simulator and the proof protocol are distributed exactly the same. This is for instance the case in the first example above.
| |
| | |
| * ''Statistical zero-knowledge''<ref>Sahai, Amit, and Salil Vadhan. 2003. A complete problem for statistical zero knowledge. Journal of the Association for Computing Machinery 50, no. 2: 196-249</ref> means that the distributions are not necessarily exactly the same, but they are [[statistically close]], meaning that their statistical difference is a [[negligible function]].
| |
| | |
| * We speak of ''computational zero-knowledge'' if no efficient algorithm can distinguish the two distributions.
| |
| | |
| == Applications ==
| |
| | |
| Research in zero-knowledge proofs has been motivated by [[authentication]] systems where one party wants to prove its identity to a second party via some secret information (such as a password) but doesn't want the second party to learn anything about this secret. This is called a "zero-knowledge [[proof of knowledge]]". However, a password is typically too small or insufficiently random to be used in many schemes for zero-knowledge proofs of knowledge. A [[zero-knowledge password proof]] is a special kind of zero-knowledge proof of knowledge that addresses the limited size of passwords.
| |
| | |
| One of the most fascinating uses of zero-knowledge proofs within cryptographic protocols is to enforce honest behavior while maintaining privacy. Roughly, the idea is to force a user to prove, using a zero-knowledge proof, that its behavior is correct according to the protocol. Because of soundness, we know that the user must really act honestly in order to be able to provide a valid proof. Because of zero knowledge, we know that the user does not compromise the privacy of its secrets in the process of providing the proof. This application of zero-knowledge proofs was first used in the ground-breaking paper of [[Oded Goldreich]], [[Silvio Micali]], and [[Avi Wigderson]] on [[secure multiparty computation]].
| |
| | |
| ==History and results==
| |
| | |
| Zero-knowledge proofs were first conceived in 1985 by [[Shafi Goldwasser]], [[Silvio Micali]], and [[Charles Rackoff]] in their paper "The Knowledge Complexity of Interactive Proof-Systems".<ref>{{Citation | last1=Goldwasser | first1=S. | last2=Micali | first2=S. | last3=Rackoff | first3=C. | title=The knowledge complexity of interactive proof systems | url=http://crypto.cs.mcgill.ca/~crepeau/COMP647/2007/TOPIC02/GMR89.pdf | doi = 10.1137/0218012 | publisher=[[Society for Industrial and Applied Mathematics]] | location=Philadelphia | year=1989 | journal=SIAM Journal on Computing | issn=1095-7111 | volume=18 | issue=1 | pages=186–208}}</ref> This paper introduced the '''IP''' hierarchy of interactive proof systems (''see [[interactive proof system]]'') and conceived the concept of ''knowledge complexity'', a measurement of the amount of knowledge about the proof transferred from the prover to the verifier. They also gave the first zero-knowledge proof for a concrete problem, that of deciding [[quadratic residue|quadratic nonresidues]] mod ''m''. Together with a paper by [[László Babai]] and [[Shlomo Moran]], this landmark paper invented interactive proof systems, for which all five authors won the first [[Gödel Prize]] in 1993.
| |
| | |
| In their own words, Goldwasser, Micali, and Rackoff say:
| |
| | |
| <blockquote>
| |
| Of particular interest is the case where this additional knowledge is essentially 0 and we show that [it] is possible to interactively prove that a number is quadratic non residue mod ''m'' releasing 0 additional knowledge. This is surprising as no efficient algorithm for deciding quadratic residuosity mod ''m'' is known when ''m''’s factorization is not given. Moreover, all known ''NP'' proofs for this problem exhibit the prime factorization of ''m''. This indicates that adding interaction to the proving process, may decrease the amount of knowledge that must be communicated in order to prove a theorem.
| |
| </blockquote>
| |
| | |
| The quadratic nonresidue problem has both an '''[[NP (complexity)|NP]]''' and a '''[[co-NP]]''' algorithm, and so lies in the intersection of '''NP''' and '''co-NP'''. This was also true of several other problems for which zero-knowledge proofs were subsequently discovered, such as an unpublished proof system by Oded Goldreich verifying that a two-prime modulus is not a [[Blum integer]].<ref>{{cite paper |first=Oded |last=Goldreich |title=A zero-knowledge proof that a two-prime moduli is not a Blum integer |work=Unpublished manuscript |year=1985 }}</ref>
| |
| | |
| [[Oded Goldreich]], [[Silvio Micali]], and [[Avi Wigderson]] took this one step further, showing that, assuming the existence of unbreakable encryption, one can create a zero-knowledge proof system for the NP-complete [[graph coloring problem]] with three colors. Since every problem in '''NP''' can be efficiently reduced to this problem, this means that, under this assumption, all problems in '''NP''' have zero-knowledge proofs.<ref>{{cite journal |first=Oded |last=Goldreich |first2=Silvio |last2=Micali |first3=Avi |last3=Wigderson |title=Proofs that yield nothing but their validity |journal=Journal of the ACM |volume=38 |issue=3 |pages=690–728 |doi=10.1145/116825.116852 |year=1991 }}</ref> The reason for the assumption is that, as in the above example, their protocols require encryption. A commonly cited sufficient condition for the existence of unbreakable encryption is the existence of [[one-way function]]s, but it is conceivable that some physical means might also achieve it.
| |
| | |
| On top of this, they also showed that the [[graph nonisomorphism problem]], the [[complement (complexity)|complement]] of the [[graph isomorphism problem]], has a zero-knowledge proof. This problem is in '''co-NP''', but is not currently known to be in either '''NP''' or any practical class. More generally, Goldreich, Goldwasser et al. would go on to show that, also assuming unbreakable encryption, there are zero-knowledge proofs for ''all'' problems in '''IP'''='''PSPACE''', or in other words, anything that can be proved by an interactive proof system can be proved with zero knowledge.<ref>{{cite book |first=Michael |last=Ben-Or |first2=Oded |last2=Goldreich |first3=Shafi |last3=Goldwasser |first4=Johan |last4=Hastad |first5=Joe |last5=Kilian |first6=Silvio |last6=Micali |first7=Phillip |last7=Rogaway |chapter=Everything provable is provable in zero-knowledge |editor-first=S. |editor-last=Goldwasser |title=Advances in Cryptology--CRYPTO '88 |volume=403 |series=Lecture Notes in Computer Science |pages=37–56 |publisher=Springer-Verlag |year=1990 }}</ref>
| |
| | |
| Not liking to make unnecessary assumptions, many theorists sought a way to eliminate the necessity of [[one way function]]s. One way this was done was with ''multi-prover interactive proof systems'' (see [[interactive proof system]]), which have multiple independent provers instead of only one, allowing the verifier to "cross-examine" the provers in isolation to avoid being misled. It can be shown that, without any intractability assumptions, all languages in '''NP''' have zero-knowledge proofs in such a system.<ref>{{cite paper |first=M. |last=Ben-or |first2=Shafi |last2=Goldwasser |first3=J. |last3=Kilian |first4=A. |last4=Wigderson |url=http://theory.lcs.mit.edu/~cis/pubs/shafi/1988-stoc-bgkw.pdf |title=Multi prover interactive proofs: How to remove intractability assumptions |work=Proceedings of the 20th ACM Symposium on Theory of Computing |pages=113–121 |year=1988 }}</ref>
| |
| | |
| It turns out that in an Internet-like setting, where multiple protocols may be executed concurrently, building zero-knowledge proofs is more challenging. The line of research investigating concurrent zero-knowledge proofs was initiated by the work of [[Cynthia Dwork|Dwork]], [[Moni Naor|Naor]], and Sahai.<ref>{{cite journal |first=Cynthia |last=Dwork |first2=Moni |last2=Naor |first3=Amit |last3=Sahai |title=Concurrent Zero Knowledge |journal=Journal of the ACM |volume=51 |issue=6 |pages=851–898 |year=2004 |doi=10.1145/1039488.1039489 }}</ref> One particular development along these lines has been the development of [[witness-indistinguishable proof]] protocols. The property of witness-indistinguishability is related to that of zero-knowledge, yet witness-indistinguishable protocols do not suffer from the same problems of concurrent execution.<ref>{{cite paper |first=Uriel |last=Feige |first2=Adi |last2=Shamir |title=Witness Indistinguishable and Witness Hiding Protocols |work=Proceedings of the twenty-second annual ACM Symposium on Theory of Computing (STOC) |year=1990 |doi=10.1145/100216.100272 }}</ref>
| |
| | |
| Another variant of zero-knowledge proofs are [[non-interactive zero-knowledge proof]]s. Blum, Feldman, and Micali showed that a common random string shared between the prover and the verifier is enough to achieve computational zero-knowledge without requiring interaction.<ref name="noninteractive" />
| |
| | |
| ==See also==
| |
| {{portal|cryptography}}
| |
| * [[Arrow information paradox]]
| |
| * [[Cryptographic protocol]]
| |
| * [[Feige–Fiat–Shamir identification scheme]]
| |
| * [[Proof of knowledge]]
| |
| * [[Topics in cryptography]]
| |
| * [[Witness-indistinguishable proof]]
| |
| * [[Zerocoin]]
| |
| * [[Zero-knowledge password proof]]
| |
| | |
| ==Notes==
| |
| {{Reflist}}
| |
| | |
| ==External links==
| |
| * [http://www.wisdom.weizmann.ac.il/~naor/PUZZLES/waldo.html Applied Kid Cryptography] – A simple explanation of zero-knowledge proofs using [[Where's Waldo?]] as an example
| |
| * [http://www.austinmohr.com/work/files/zkp.pdf A gentle introduction to zero-knowledge proofs with applications to cryptography]
| |
| * [http://www.wisdom.weizmann.ac.il/~oded/gmw1.html How to construct zero-knowledge proof systems for NP]
| |
| * [http://www.cs.ucsd.edu/users/daniele/papers/GMR.html An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products]
| |
| * [http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html A tutorial by Oded Goldreich on zero knowledge proofs]
| |
| * [[Salil Vadhan]], [http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.70.4056&rep=rep1&type=pdf Vadhan's phd thesis on statistical zero knowledge]
| |
| * Theory of Computing Course, Cornell University 2009, [http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf Zero knowledge proofs]
| |
| | |
| [[Category:Cryptographic protocols]]
| |
| [[Category:Theory of cryptography]]
| |
| [[Category:Zero-knowledge protocols]]
| |
| | |
| {{Crypto}}
| |