Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [zero-knowledge]

A zero-knowledge proof is a cryptographic demonstration of the truth of a statement such as "I know a number $x$ such that $g^x\mod p =y$", that can be verified by a sceptical party but provides no information beyond the truth of the statement.

A zero-knowledge proof is a cryptographic demonstration of the truth of a statement such as "I know a number $x$ such that $g^x\mod p =y$", that can be verified by a sceptical party but provides no information beyond the truth of the statement.

More formally, a zero-knowledge proof bus satisfy three conditions:

  1. Completeness. If the statement is true and the process is implemented by an honest prover, it should convince an honest verifier versed in the art of cryptography.
  2. Soundness. If the statement is false then the probability that a dishonest prover can convince an honest verifier versed in the art should be vanishingly small.
  3. Zero-knowledge. If the statement is true, the process provides no information to a verifier that they could not have produced themselves. By which we mean that the verifier could generate equivalent random transcripts of the process, by generating the exchanged information in a different order.
46 questions
5
votes
1 answer

In Zero Knowledge Proofs (ZKP) why does the simulator and extractor get the power to rewind "time" and not some other superpower?

Why was the simulator/extractor specifically given the power to rewind "time" instead of a different super power? Was it defined in the first ZKP paper that the simulator and extractor would have this power as a "standard" and then everyone went…
CLox
  • 195
  • 4
5
votes
2 answers

Coin flipping without commitments or random oracles

It's well known that two parties, Alice and Bob, can flip a fair coin using commitments. Alice picks a random number $a \in \mathbb{Z}_q$ and computes $c_a = Com(a, r_a)$ where $r_a \xleftarrow{R} \mathbb{Z}_q$. She then sends to Bob $c_a$. Bob…
Ari
  • 178
  • 6
4
votes
1 answer

What prevents ZKP proofs to be misused by others?

In ZKP, if a prover P1 possesses a secret number S and generates a proof PRF for the possession of the same with the aim to prove it to a verifier V1. But, what prevents V1 from misusing the PRF and present itself to others as the one in possession…
user60588
  • 307
  • 1
  • 6
4
votes
2 answers

Rigorous Proof on Malicious Zero-Knowledge Property of Schnorr Protocol

Let us recall the Schnorr Protocol, following Chris Peikert's excellent Notes on the Theory of Cryptography. Protocol. Let $G=\langle g \rangle$ be a cyclic group of order $q$. We consider an arbitrary element $x\in G$, having Discrete Logarithm…
Chris
  • 266
  • 2
  • 11
4
votes
1 answer

How can a verifier benefit from being malicious or dishonest in a Zero Knowledge interactive proof?

Several texts talk about malicious/dishonest verifiers in a zero-knowledge interactive proof but none of them properly detail how a dishonest verifier can gain extra knowledge over an honest verifier using some examples like "Quadratic Residue…
user93353
  • 2,348
  • 3
  • 28
  • 49
4
votes
1 answer

sUF-CMA security of Lyubashevsky's ID and signature protocol

I have been working on the post-quantum safe ID/signature-schemes of Vadim Lyubashevsky (https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf). I am in particular studying the security proof, and wanting to structure this in a game based…
Rory
  • 353
  • 2
  • 12
3
votes
1 answer

Zero knowledge proof of a linear expression in the exponent

Alice sends to Bob a value $B$ in $\mathbb{G}$ a group of high order. There are distinct elements $h_1$ and $h_2$ of high order of $\mathbb{G}$, and Alice wants to prove to Bob that she knows some values $b_1, b_2 \in \mathbb{Z}_q$ such that…
Adam54
  • 283
  • 1
  • 7
3
votes
0 answers

Are there reputable public proving parameters for universal zkSNARK systems?

I have seen that Filecoin performed a public set-up ceremony for their zkSNARK system. Because Filecoin uses the Groth16 prover (which has a circuit-specific set-up), the output of this ceremony was public parameters that anyone can use to prove…
884d88baaa
  • 83
  • 5
3
votes
3 answers

State of the art for Graph Isomorphism

I want to know the state of the art result for proving knowledge of graph isomorphism. As described here, the classical Goldreich-Micali-Wigderson (GMW) protocol is a $\Sigma$-protocol with soundness error $\frac{1}{2}$, so it requires repetition.…
ketsi
  • 375
  • 1
  • 13
3
votes
1 answer

Does NordPass Make the Same Error SpiderOak Stopped Making in 2017?

According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown…
tdMJN6B2JtUe
  • 185
  • 7
3
votes
1 answer

Why is Lagrange interpolation required in Batch Opening case of KZG/Kate PCS?

From here - Batch Opening of KZG PCS One can prove multiple evaluations $(\phi(e_i) = y_i)_{i\in I}$,for arbitrary points $e_i$ using a constant-sized KZG batch proof, $\pi_I = g^{q_I(\tau)}$, where \begin{align} \label{eq:batch-proof-rel} q_I(X)…
user93353
  • 2,348
  • 3
  • 28
  • 49
3
votes
2 answers

How does taking the difference between commitments verifies that the messages are correct?

I have read that perdersen commitment can be used to hide the messages such as transactions by participants. The verifier will just have to make sure that the difference of the commitments is zero. But I don’t quite understand how is this…
xenon
  • 235
  • 1
  • 2
  • 7
3
votes
1 answer

How can you use ZK-proofs and public key signatures in this situation?

Let us say that we have 3 entities: an Issuer I , a user/prover P and a verifier V. V trusts I but does not trust u u wants to show that he respects some kind of property (eg. being over 18yo) to V without revealing their whole birth day V…
jacobi_matrix
  • 135
  • 4
2
votes
1 answer

Languages $L$ that have perfect zero-knowledge that do not have any $AM$ proof system that is perfect or zero-knowledge on $L$

In the GMR[85] paper, a conjecture is made in section 3.7: There exist languages $L$ that have perfect or statistical zero-knowledge proof systems, but do not have any Arthur-Merlin proof system that is perfect or zero-knowledge on $L$. I was…
itstwelvehere
  • 73
  • 5
2
votes
1 answer

Equality check with Pedersen commitments

Does the Pedersen commitment scheme allow for checking whether two commitments are made - say by different people - for the same value?
user60588
  • 307
  • 1
  • 6
1
2 3 4