Zero Knowledge Proofs and Sigma Protocols Flashcards
Definition of language
Definition of complexity class
Definition of decision problem and relation with search problem
Examples of complexity classes
Definition of NP complexity class
NP-complete problems and relation between P and NP
Examples of NP-complete problems
P vs NP wrt one-way functions
Definition of k-round interaction
Definition of IP complexity class
IP class with respect to PSPACE class and NP class with example
Definition of graph and of graph isomorphism
GNI and IP
Prove that GNI belongs to IP
Definition of Zero Knowledge Proof
Definition of Honest-Verifier Zero Knowledge
GI and PKZ
Prove that GI belongs to PZK
Prove that if there exists a one-way function then NP belongs / equal to CZK
Definition of proof of knowledge
cheating is as difficult as crafting a witness + formal def with p and k
Definition of Zero-Knowledge Proof of Knowledge
GI and PZKPoK
Prove that GI belongs to PZKPoK
Definition of Sigma Protocol: what is it, what is it made of and which properties does it have
Sigma protocol for Graph Isomorphism: construction, proof and soundness error
Sigma protocol for Discrete Logarithm: construction, proof and soundness error
Sigma protocol for Square Root Problem: construction, proof and soundness error
resp = x^c * r
Definition of Identification Scheme
4 algo
gen, P1 p2 v
gen prende 1^lambda e genera pk e sk
Experiment for Identification Scheme
Definition of Secure Identification Scheme
Theorem: Sigma protocols as secure identification schemes and proof
Theorem
Let L be language in NP and assume that there exists no PPT adversary that given x ∈ L finds a witness for x with non-negligible probability. Let Π be a Σ-protocol for a ZKPoK for L, together with an algorithm to generate pairs (x , w ) with x ∈ L and w a witness of this fact. Then Π is a secure identification protocol, where the prover has public key x and secret key w.
Proof.
The completeness of Π implies that Π is indeed an identification protocol. The special soundness of Π implies that an adversary A can fool the verifier only by finding the secret key w, which is infeasible by hypothesis. Finally, the honest verifier zero-knowledge of Π implies that the adversary A gains no information from the oracle Transsk, since the transcripts that it produces can be simulated by an oracle that does not know sk.
Security parameter lambda for an identification protocol
- in order to achieve a security level λ, the parameters must be selected so that solving the search problem for L (with the best known algorithms) has average-case complexity proportional to 2λ.
- Moreover, to achieve a security level λ, the number R of rounds should be at least λ/log(1/p), where p is the soundness error of the Σ-protocol and log is the logarithm in base 2.
This ensures that the probability that a cheater passes the identification is less than 2−λ, and protects from brute-force attacks.
Communication cost
Construction and proof of Schnorr Identification Protocol
= sigma protocol per DL
parte tutto da un gruppo e i parametri x e c vengono presi da Z p
