Huber's equation: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>EmausBot
m r2.7.3) (Robot: Adding kk, nl, ru, sv
 
en>Addbot
m Bot: Migrating 6 interwiki links, now provided by Wikidata on d:q521641 (Report Errors)
Line 1: Line 1:
Alyson is what my husband enjoys to call me but I don't like when people use my complete name. My spouse and I reside in Mississippi and I adore each working day living here. Office supervising is exactly where my main earnings comes from but I've always wanted my personal company. To play lacross is some thing he would by no means give up.<br><br>Feel free to surf to my web site ... [http://breenq.com/index.php?do=/profile-1144/info/ real psychic] [https://www.machlitim.org.il/subdomain/megila/end/node/12300 psychic love readings]; [http://chungmuroresidence.com/xe/reservation_branch2/152663 http://chungmuroresidence.com/xe/reservation_branch2/152663],
'''Non-interactive zero-knowledge proofs''' are a variant of [[zero-knowledge proof]]s in which no interaction is necessary between prover and verifier. [[Manuel Blum|Blum]], Feldman, and [[Silvio Micali|Micali]] <ref name="bfm">Manuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103-112. 1988</ref> showed that a common reference string shared between the prover and the verifier is enough to achieve computational zero-knowledge without requiring interaction. [[Oded Goldreich|Goldreich]] and Oren<ref>Oded Goldreich and Yair Oren. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology. Vol 7(1). 1-32. 1994 [http://www.wisdom.weizmann.ac.il/~oded/PS/oren.ps (PS)]</ref> gave impossibility results for one shot zero-knowledge protocols in the [[Standard Model (cryptography)|standard model]]. In 2003, Goldwasser and Kalai published an instance of identification scheme for which any hash function will yield an insecure digital signature scheme.<ref>Shafi Goldwasser and Yael Kalai. On the (In)security of the Fiat-Shamir Paradigm. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS'03). 2003</ref> These results are not contradictory, as the impossibility result of Goldreich and Oren does not hold in the [[common reference string model]] or the [[random oracle model]]. Non-interactive zero-knowledge proofs however show a separation between the cryptographic tasks that can be achieved in the standard model and those that can be achieved in 'more powerful' extended models.
 
The model influences the properties that can be obtained from a zero-knowledge protocol. Pass<ref>Rafael Pass. On Deniability in the Common Reference String and Random Oracle Model. Advances in Cryptology - CRYPTO 2003. 316-337. 2003 [http://www.nada.kth.se/~rafael/papers/denzk.ps (PS)]</ref> showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols, e.g. they do not preserve deniability.
 
Non-interactive zero-knowledge proofs can also be obtained in the [[random oracle model]] using the [[Fiat-Shamir heuristic]].
 
==Definition==
Originally,<ref name="bfm"/> non-interactive zero-knowledge was only defined as a single theorem proof system. In such a system each proof requires its own fresh common reference string.
A common reference string in general is not a random string. It may, for instance, consist of randomly chosen group elements that all protocol parties use. Although the group elements are random, the reference string is not as it contains a certain structure (e.g., group elements) that is distinguishable from randomness.
Subsequently, Feige, Lapidot,  and [[Adi Shamir|Shamir]]<ref>Uriel Feige, Dror Lapidot, Adi Shamir: Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions. SIAM J. Comput. 29(1): 1-28 (1999)</ref> introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero knowledge proofs.
 
In this model the prover and the verifier are in possession of a reference string sampled from a distribution ''D'' by a trusted setup <math>\sigma \gets \mathrm{Setup}(1^k)</math>. To prove statement <math>y\in L</math> with witness ''w'',  the prover runs <math>\pi \gets \mathrm{Prove}(\sigma,y,w)</math> and sends the proof <math>\pi</math> to the verifier. The verifier accepts if <math>\mathrm{Verify}(\sigma,y,\pi)=\mathrm{accept}</math>, and rejects otherwise.  
To account for the fact that <math>\sigma</math> may influence the statements that are being proven, the witness relation can be
generalized to <math>(y,w) \in R_\sigma</math> parameterized by
<math>\sigma</math>.
 
===Completeness===
 
Verification succeeds for all <math>\sigma\in \mathrm{Setup}(1^k)</math> and every <math>(y,w) \in R_\sigma</math>.
 
More formally, for all ''k'', all <math>\sigma\in \mathrm{Setup}(1^k)</math>, and all <math>(y,w)\in R_\sigma</math>:
::<math>Pr[\pi \gets \mathrm{Prove}(\sigma,y,w) : \mathrm{Verify}(\sigma,y,\pi)=\mathrm{accept}] =1</math>
 
===Soundness===
 
Soundness requires that no prover can make the verifier accept for a wrong statement <math>y \not\in L</math> except with some small probability. The upper bound of this probability is referred to as the soundness error of a proof system.
 
More formally, for every malicious prover <math>\tilde P</math>, there exists a [[negligible function]] <math>\nu</math> such that
 
::<math>Pr[\sigma \gets \mathrm{Setup}(1^k), (y,\pi) \gets \tilde{P}(\sigma): 
y\not\in L \land \mathrm{Verify}(\sigma, y, \pi)=\mathrm{accept}] =\nu(k)\;.</math>
 
The above definition requires the soundness error to be negligible in the security parameter ''k''. By increasing ''k'' the soundness error can be made arbitrary small. If the soundness error is ''0'' for all ''k'', we speak of ''perfect soundness''.
 
===Multi-theorem Zero-knowledge===
 
A non-interactive proof system <math>(\mathrm{Setup}, \mathrm{Prove}, \mathrm{Verify})</math> is multi-theorem zero-knowledge, if there exists a simulator <math>\mathrm{Sim}=(\mathrm{Sim}_1, \mathrm{Sim}_2)</math> such that for all non-uniform polynomial time adversaries <math>\mathcal{A}</math>,
 
::<math>Pr[\sigma \gets \mathrm{Setup}(1^k): \mathcal{A}^{{\mathrm{Prove}}(\sigma,.,.)}(\sigma)=1 ] \equiv Pr[(\sigma,\tau) \gets \mathrm{Sim}_1: \mathcal{A}^{{\mathrm{Sim}}(\sigma,\tau,.,.)}(\sigma)=1 ]</math>
 
Here <math>\mathrm{Sim}(\sigma,\tau,y,w)</math> outputs <math>\mathrm{Sim_2}(\sigma,\tau, y)</math> for <math>(y,w) \in R_\sigma</math> and both oracles output ''failure'' otherwise.
 
==Pairing-based Non-interactive Proofs==
 
[[Pairing-based cryptography]] has led to several cryptographic advancements. One of this advancements are more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the evaluation of the pairing in a [[Commitment scheme|commitment]]. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the [[sub-group hiding]]<ref>Jens Groth, Rafail Ostrovsky, Amit Sahai: Perfect Non-interactive Zero Knowledge for NP. EUROCRYPT 2006: 339-358</ref> and under the [[decisional linear assumption]].<ref>Jens Groth, Rafail Ostrovsky, Amit Sahai: Non-interactive Zaps and New Techniques for NIZK. CRYPTO 2006: 97-111</ref> These proof systems prove [[Boolean satisfiability problem|circuit satisfiability]], and thus by the [[Cook–Levin theorem]] allow to prove membership for every language in NP. The size of the common reference string and the proofs is relatively small, however transforming a statement into a boolean circuit causes a considerable overhead.
 
Proof systems under the [[sub-group hiding]], [[decisional linear assumption]], and [[XDH assumption|external Diffie-Hellman assumption]] that allow to directly proof the pairing product equations that are common in [[Pairing-based cryptography]] have been proposed.<ref>Jens Groth, Amit Sahai: Efficient Non-interactive Proof Systems for Bilinear Groups. EUROCRYPT 2008: 415-432</ref>
 
Under strong [[knowledge assumption]]s, it is known how to create sublinear-length computationally sound proof systems for [[NP-complete]] languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.<ref>Jens Groth. Short Pairing-Based Non-interactive Zero-Knowledge Arguments. ASIACRYPT 2010: 321--340</ref><ref>Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. TCC 2012: 169--189</ref>
 
==References==
<references/>
 
==External links==
* [http://www.cs.ucsd.edu/users/daniele/papers/GMR.html An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products]
 
[[Category:Cryptographic protocols]]
[[Category:Theory of cryptography]]

Revision as of 15:53, 26 February 2013

Non-interactive zero-knowledge proofs are a variant of zero-knowledge proofs in which no interaction is necessary between prover and verifier. Blum, Feldman, and Micali [1] showed that a common reference string shared between the prover and the verifier is enough to achieve computational zero-knowledge without requiring interaction. Goldreich and Oren[2] gave impossibility results for one shot zero-knowledge protocols in the standard model. In 2003, Goldwasser and Kalai published an instance of identification scheme for which any hash function will yield an insecure digital signature scheme.[3] These results are not contradictory, as the impossibility result of Goldreich and Oren does not hold in the common reference string model or the random oracle model. Non-interactive zero-knowledge proofs however show a separation between the cryptographic tasks that can be achieved in the standard model and those that can be achieved in 'more powerful' extended models.

The model influences the properties that can be obtained from a zero-knowledge protocol. Pass[4] showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols, e.g. they do not preserve deniability.

Non-interactive zero-knowledge proofs can also be obtained in the random oracle model using the Fiat-Shamir heuristic.

Definition

Originally,[1] non-interactive zero-knowledge was only defined as a single theorem proof system. In such a system each proof requires its own fresh common reference string. A common reference string in general is not a random string. It may, for instance, consist of randomly chosen group elements that all protocol parties use. Although the group elements are random, the reference string is not as it contains a certain structure (e.g., group elements) that is distinguishable from randomness. Subsequently, Feige, Lapidot, and Shamir[5] introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero knowledge proofs.

In this model the prover and the verifier are in possession of a reference string sampled from a distribution D by a trusted setup σSetup(1k). To prove statement yL with witness w, the prover runs πProve(σ,y,w) and sends the proof π to the verifier. The verifier accepts if Verify(σ,y,π)=accept, and rejects otherwise. To account for the fact that σ may influence the statements that are being proven, the witness relation can be generalized to (y,w)Rσ parameterized by σ.

Completeness

Verification succeeds for all σSetup(1k) and every (y,w)Rσ.

More formally, for all k, all σSetup(1k), and all (y,w)Rσ:

Pr[πProve(σ,y,w):Verify(σ,y,π)=accept]=1

Soundness

Soundness requires that no prover can make the verifier accept for a wrong statement y∉L except with some small probability. The upper bound of this probability is referred to as the soundness error of a proof system.

More formally, for every malicious prover P~, there exists a negligible function ν such that

Pr[σSetup(1k),(y,π)P~(σ):y∉LVerify(σ,y,π)=accept]=ν(k).

The above definition requires the soundness error to be negligible in the security parameter k. By increasing k the soundness error can be made arbitrary small. If the soundness error is 0 for all k, we speak of perfect soundness.

Multi-theorem Zero-knowledge

A non-interactive proof system (Setup,Prove,Verify) is multi-theorem zero-knowledge, if there exists a simulator Sim=(Sim1,Sim2) such that for all non-uniform polynomial time adversaries 𝒜,

Pr[σSetup(1k):𝒜Prove(σ,.,.)(σ)=1]Pr[(σ,τ)Sim1:𝒜Sim(σ,τ,.,.)(σ)=1]

Here Sim(σ,τ,y,w) outputs Sim2(σ,τ,y) for (y,w)Rσ and both oracles output failure otherwise.

Pairing-based Non-interactive Proofs

Pairing-based cryptography has led to several cryptographic advancements. One of this advancements are more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the evaluation of the pairing in a commitment. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the sub-group hiding[6] and under the decisional linear assumption.[7] These proof systems prove circuit satisfiability, and thus by the Cook–Levin theorem allow to prove membership for every language in NP. The size of the common reference string and the proofs is relatively small, however transforming a statement into a boolean circuit causes a considerable overhead.

Proof systems under the sub-group hiding, decisional linear assumption, and external Diffie-Hellman assumption that allow to directly proof the pairing product equations that are common in Pairing-based cryptography have been proposed.[8]

Under strong knowledge assumptions, it is known how to create sublinear-length computationally sound proof systems for NP-complete languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.[9][10]

References

  1. 1.0 1.1 Manuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103-112. 1988
  2. Oded Goldreich and Yair Oren. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology. Vol 7(1). 1-32. 1994 (PS)
  3. Shafi Goldwasser and Yael Kalai. On the (In)security of the Fiat-Shamir Paradigm. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS'03). 2003
  4. Rafael Pass. On Deniability in the Common Reference String and Random Oracle Model. Advances in Cryptology - CRYPTO 2003. 316-337. 2003 (PS)
  5. Uriel Feige, Dror Lapidot, Adi Shamir: Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions. SIAM J. Comput. 29(1): 1-28 (1999)
  6. Jens Groth, Rafail Ostrovsky, Amit Sahai: Perfect Non-interactive Zero Knowledge for NP. EUROCRYPT 2006: 339-358
  7. Jens Groth, Rafail Ostrovsky, Amit Sahai: Non-interactive Zaps and New Techniques for NIZK. CRYPTO 2006: 97-111
  8. Jens Groth, Amit Sahai: Efficient Non-interactive Proof Systems for Bilinear Groups. EUROCRYPT 2008: 415-432
  9. Jens Groth. Short Pairing-Based Non-interactive Zero-Knowledge Arguments. ASIACRYPT 2010: 321--340
  10. Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. TCC 2012: 169--189

External links