Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [interactive-proofs]

32 questions
8
votes
0 answers

Proof of Knowledge & Rewinding Lemma

I'm somewhat confused about how the definition of a proof of knowledge relates to the Theorem 19.1 in Boneh-Shoup (http://toc.cryptobook.us/book.pdf), particularly in relation to Schnorr's protocol for proof of knowledge of a discrete logarithm. As…
George Herbert
  • 97
  • 4
5
votes
1 answer

Why does extractability not contradict zero-knowledge?

I was introduced to the QR-protocol that shows that a number y is a quadratic residue modulo x through an interactive protocol. The protocol is perfect zero-knowledge but it also proves that the prover P knows the square root w (a witness) of y…
Niko Wolf
  • 111
  • 4
5
votes
1 answer

In Zero Knowledge Proofs (ZKP) why does the simulator and extractor get the power to rewind "time" and not some other superpower?

Why was the simulator/extractor specifically given the power to rewind "time" instead of a different super power? Was it defined in the first ZKP paper that the simulator and extractor would have this power as a "standard" and then everyone went…
CLox
  • 195
  • 4
4
votes
2 answers

Rigorous Proof on Malicious Zero-Knowledge Property of Schnorr Protocol

Let us recall the Schnorr Protocol, following Chris Peikert's excellent Notes on the Theory of Cryptography. Protocol. Let $G=\langle g \rangle$ be a cyclic group of order $q$. We consider an arbitrary element $x\in G$, having Discrete Logarithm…
Chris
  • 266
  • 2
  • 11
4
votes
1 answer

Why does the challenge need to be prime in Wesolowski's succinct argument of $y=x^{e}$?

In Wesolowski's VDF (verifiable delay function) a prover produces a pair $(x, y)$ and needs to argue to the verifier that the pair satisfies $y = x^e \pmod N$ for some $e$ computable to both. The verifier is compute limited and $e$ is really large,…
MERTON
  • 225
  • 1
  • 6
3
votes
2 answers

Definition of soundness for interactive proof systems

I am reading the Wikipedia page for Interactive proof systems and am having trouble understand the notation in the definition of soundness, many of which is left unspecified. Given a formal language of strings $L$, a verifier $\mathcal{V}$ for this…
Abced Decba
  • 133
  • 3
3
votes
0 answers

Interactive proof of possession of a signed message

Suppose Alice has a verifiable (message, signature) pair from Cedric, who would not cooperate and routinely uses an algo (ecdsa, eddsa, rsa, or insert yours here) to sign messages. Alice wants to interactively prove to Bob she has that (message,…
wick
  • 151
  • 5
3
votes
1 answer

The significance of rewinding a simulation in an ZK interactive proof

I'm reading Matthew Green's blog post on ZK Interactive Proofs I don't understand the part where he explains how using a time machine shows that the prover is leaking zero information Specifically, assume that I (the Verifier) have some strategy…
user93353
  • 2,348
  • 3
  • 28
  • 49
2
votes
1 answer

Deterministic vs probabilistic adversaries in a proof-of-knowledge context

In several security games, it is safe to replace probabilistic polynomial-time adversaries with deterministic ones without reducing the adversarial advantage. The relevant argument can be found here. However, according to Bellare&Goldreich, the…
xz-nomial
  • 23
  • 5
2
votes
1 answer

3-Coloring Zero-Knowledge Proof: rational verifier?

I'm studying the application of Zero-Knowledge Proofs (ZKP) to graph 3-colorability. I haven't fully understood the need for randomness in the verifier's choice of the edge to challenge the prover with. If the verifier could choose the edge to…
Tom_tomato
  • 23
  • 4
2
votes
1 answer

Languages $L$ that have perfect zero-knowledge that do not have any $AM$ proof system that is perfect or zero-knowledge on $L$

In the GMR[85] paper, a conjecture is made in section 3.7: There exist languages $L$ that have perfect or statistical zero-knowledge proof systems, but do not have any Arthur-Merlin proof system that is perfect or zero-knowledge on $L$. I was…
itstwelvehere
  • 73
  • 5
2
votes
1 answer

Which hash functions have the mathematical properties required to prove data availability?

I'm looking for a specific keyed hash function with security properties that allow it to be used for a step in an interactive proof, in which a Verifier has some message, and the Prover needs to prove that they have the entirety of this message…
AJMansfield
  • 136
  • 7
2
votes
1 answer

GKR Protocol - is it one Sum-Check per layer or is it one Sum-Check per gate?

I am reading about GKR protocol from Justin Thaler's book - Proofs, Arguments & Zero Knowledge On Page 59, In the first message, $P$ tells $V$ the (claimed) output(s) of the circuit. The protocol then works its way in iterations towards the input…
user93353
  • 2,348
  • 3
  • 28
  • 49
2
votes
2 answers

How to calculate soundness error of a sigma protocol?

How do I calculate the soundness error of a sigma protocol, such as Schnorr's interactive protocol for knowledge of a discrete logarithm?
George Herbert
  • 97
  • 4
2
votes
0 answers

Accumulation Updater for Cryptography

I want update in place for sorted element list and proof for accumulator encoding of only element updated. I try to find technique similar to this, but only GCTI pop up and similar methods. It must get elements in order of sorted list, replace ith…
Junghee Kim
  • 21
  • 1
1
2 3