I pretty recently understood the concept of zero-knowledge proof (on a purely logical level, not mathematically speaking, thanks to this article). Despite being a very counter-intuitive principle, it turned out to be an actual and applicable system. I am now wondering if another counter intuitive problem is solvable: is it possible to prove that we don't (or are unable to) know an information? Or to rephrase it in a more formal way, is it possible to prove that such a system is impossible to create? Regards
Asked
Active
Viewed 247 times
2 Answers
1
Yes. Just prove that such information doesn't exist.
(For example, that can be used to prove that one
doesn't know a boolean value x such that x and not x .)
For P/poly provers, if such proofs exist then UNSAT has a usually-correct promiseMA protocol.
However, if public-coin collision-resistant hash families exist, then
a common random string is enough for arguments of non-knowledge.
For example, to argue that one does not know a string
such that Hcommon_random_string(0||x) = y , argue that one
does know a string x such that Hcommon_random_string(1||x) = y .
1
It is not possible to show directly, that a prover does not know a certain information. Basically, the prover could just ignore this piece of information and act like a prover without the information.
But let's assume there is an encoding of knowledge into integers, then we can do this:
- Have the prover commit to all his known information (with an unconditionally hiding commitment).
- Send him your challenge.
- Let him prove, that the challenge is not equal to any of his commited values. This can be done, see the answers to this question, although these techniques are not really practical.
If you send the challenge in the clear, then the prover does know the information after the execution of the protocol. Since he has to prove inequality to all his commited values, he needs to know that value. If you do not want him to know the information, you could apply a hash function to all the values in the protocol, although this isn't zero knowledge.
If you decide not to require the zero knowledge property at all, the prover could just publish the hashes of all his knowlegde. And then you check whether the hash of the information is in there or not.
