Mass in general relativity: Difference between revisions
en>Solomonfromfinland No edit summary |
|||
Line 1: | Line 1: | ||
In [[cryptography]], a '''proof of knowledge''' is an [[interactive proof system|interactive proof]] in which the prover succeeds 'convincing' a verifier that it knows something. What it means for a [[abstract machine|machine]] to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself (as is the case for [[zero-knowledge proofs]]<ref>[[Shafi Goldwasser]], [[Silvio Micali]], and [[Charles Rackoff]]. [http://portal.acm.org/citation.cfm?id=63434 The knowledge complexity of interactive proof-systems]. ''Proceedings of 17th Symposium on the Theory of Computation'', Providence, Rhode Island. 1985. Draft. [http://theory.lcs.mit.edu/~cis/pubs/shafi/1985-stoc.pdf Extended abstract]</ref>) a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by [[polynomial time]] bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some [[formal language|language]] in [[NP (complexity)|NP]]. | |||
Let <math>x</math> be a language element of language <math>L</math> in NP, and <math>W(x)</math> the set of witnesses for x that should be accepted in the proof. This allows us to define the following relation: <math>R= \{(x,w): x \in L, w \in W(x)\}</math>. | |||
A proof of knowledge for relation <math>R</math> with knowledge error <math>\kappa</math> is a two | |||
party protocol with a prover <math>P</math> and a verifier <math>V</math> with the following two properties: | |||
# '''Completeness''': if <math>(x,w) \in R</math>, the prover P who knows witness <math>w</math> for <math>x</math> succeeds in convincing the verifier <math>V</math> of his knowledge. More formally: <math>Pr(P(x,w)\leftrightarrow V(x) \rightarrow 1) =1</math> | |||
# '''Validity''': Validity requires that the success probability of a knowledge extractor <math>E</math> in extracting the witness, given oracle access to a possibly malicious prover <math>\tilde P</math>, must be at least as high as the success probability of the prover <math>\tilde P</math> in convincing the verifier. This Property guarantees that no prover that doesn't know the witness can succeed in convincing the verifier. | |||
==Details on the definition== | |||
This is a more rigorous definition of '''Validity''':<ref name="odpk">[[Mihir Bellare]], Oded Goldreich: [http://www-cse.ucsd.edu/~mihir/papers/pok.ps On Defining Proofs of Knowledge]. [[CRYPTO]] 1992: 390–420</ref> | |||
Let <math>R</math> be a witness relation, <math>W(x)</math> the set of all witnesses for public value <math>x</math>, and <math>\kappa</math> the knowledge error. | |||
A proof of knowledge is <math>\kappa</math>-valid if there exists a polynomial-time machine <math>E</math>, given oracle access to <math>\tilde P</math>, such that for every <math>\tilde P</math>, it is the case that <math>E^{\tilde P(x)}(x) \in W(x) \cup \{ \bot \}</math> and <math>\Pr(E^{\tilde P(x)}(x) \in W(x)) \geq \Pr(\tilde P(x)\leftrightarrow V(x) \rightarrow 1) - \kappa(x).</math> | |||
The result <math>\bot</math> signifies that the Turing machine <math>E</math> did not come to a conclusion. | |||
The knowledge error <math>\kappa(x)</math> denotes the probability that the verifier <math>V</math> might accept <math>x</math>, even though the prover does in fact not know a witness <math>w</math>. The knowledge extractor <math>E</math> is used to express what is meant by the knowledge of a [[Turing machine]]. If <math>E</math> can extract <math>w</math> from <math>\tilde P</math>, we say that <math>\tilde P</math> knows the value of <math>w</math>. | |||
This definition of the validity property is a combination of the validity and strong validity properties in.<ref name="odpk"/> For small knowledge errors <math>\kappa(x)</math>, such as e.g. <math>2^{-80}</math> or <math>1/\mathrm{poly}(|x|)</math> it can be seen as being stronger than the '''[[Soundness (interactive proof)|soundness]]''' of ordinary [[Interactive proof system|interactive proofs]]. | |||
==Relation to general interactive proofs== | |||
In order to define a specific proof of knowledge, one need not only define the language, but also the witnesses the verifier should know. In some cases proving membership in a language may be easy, while computing a specific witness may be hard. This is best explained using an example: | |||
Let <math>\langle g \rangle</math> be a [[cyclic group]] with generator <math>g</math> in which solving the [[discrete logarithm]] problem is believed to be hard. The deciding membership of the language <math>L=\{x | g^w=x \}</math> is trivial, as every <math>x</math> is in <math>\langle g \rangle</math>. However, finding the witness <math>w</math> such that <math>g^w=x</math> holds corresponds to solving the discrete logarithm problem. | |||
==Protocols== | |||
===Schnorr protocol=== | |||
One of the simplest and frequently used proofs of knowledge, the ''proof of knowledge of a [[discrete logarithm]]'', is due to Schnorr.<ref>[[Claus P. Schnorr|C P Schnorr]], Efficient identification and signatures for smart cards, in G Brassard, ed. Advances in Cryptology – [[Crypto]] '89, 239–252, [[Springer-Verlag]], 1990. Lecture Notes in Computer Science, nr 435</ref> The protocol is defined for a [[cyclic group]] <math>G_q</math> of order <math>q</math> with generator <math>g</math>. | |||
In order to prove knowledge of <math>x=\log_g y</math>, the prover interacts with the verifier as follows: | |||
# In the first round the prover commits herself to randomness <math>r</math>; therefore the first message <math>t=g^r</math> is also called ''commitment''. | |||
# The verifier replies with a ''challenge'' <math>c</math> chosen at random. | |||
# After receiving <math>c</math>, the prover sends the third and last message (the ''response'') <math>s=r+cx</math>. | |||
The verifier accepts, if <math>g^s = t y^{c}</math>. | |||
===Sigma protocols=== | |||
Protocols which have the above three-move structure (commitment, challenge and response) are called ''sigma protocols''. The Greek letter <math>\Sigma</math> visualizes the flow of the protocol. Sigma protocols exist for proving various statements, such as those pertaining to discrete logarithms. Using these proofs, the prover can not only prove the knowledge of the discrete logarithm, but also that the discrete logarithm is of a specific form. For instance, it is possible to prove that two logarithms of <math>y_1</math> and <math>y_2</math> with respect to bases <math>g_1</math> and <math>g_2</math> are equal or fulfill some other [[linear]] [[Relation (mathematics)|relation]]. For ''a'' and ''b'' elements of <math>Z_q</math>, we say that the prover proves knowledge of <math>x_1</math> and <math>x_2</math> such that <math>y_1= g_1^{x_1} \land y_2=g_2^{x_2}</math> and <math>x_2 = a x_1 + b</math>. Equality corresponds to the special case where ''a'' = 1 and ''b'' = 0. As <math>x_2</math> can be [[trivial (mathematics)|trivially]] computed from <math>x_1</math> this is equivalent to proving knowledge of an ''x'' such that <math>y_1= g_1^{x} \land y_2={(g_2^a)}^{x} g_2^b</math>. | |||
This is the intuition behind the following notation, which is commonly used to express what exactly is proven by a proof of knowledge. | |||
: <math>PK\{(x): y_1= g_1^{x} \land y_2={(g_2^a)}^{x} g_2^b \},</math> | |||
states that the prover knows an ''x'' that fulfills the relation above. | |||
==Applications== | |||
Proofs of knowledge are useful tool for the construction of identification protocols, and in their non-interactive variant, signature schemes. Such schemes are: | |||
* [[Schnorr signature]] | |||
They are also used in the construction of [[group signature]] and [[digital credential|anonymous digital credential]] systems. | |||
==See also== | |||
* [[Cryptographic protocol]] | |||
* [[Zero-knowledge proof]] | |||
* [[interactive proof system]] | |||
* [[Topics in cryptography]] | |||
* [[Zero-knowledge password proof]] | |||
* [[Soundness (interactive proof)]] | |||
==References== | |||
<references/> | |||
==External references== | |||
* [http://research.cyber.ee/~lipmaa/crypto/link/zeroknowledge/pok.php Helger Lipmaa's cryptology pointers] | |||
[[Category:Cryptographic protocols]] |
Revision as of 05:11, 26 October 2013
In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds 'convincing' a verifier that it knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself (as is the case for zero-knowledge proofs[1]) a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by polynomial time bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some language in NP.
Let be a language element of language in NP, and the set of witnesses for x that should be accepted in the proof. This allows us to define the following relation: .
A proof of knowledge for relation with knowledge error is a two party protocol with a prover and a verifier with the following two properties:
- Completeness: if , the prover P who knows witness for succeeds in convincing the verifier of his knowledge. More formally:
- Validity: Validity requires that the success probability of a knowledge extractor in extracting the witness, given oracle access to a possibly malicious prover , must be at least as high as the success probability of the prover in convincing the verifier. This Property guarantees that no prover that doesn't know the witness can succeed in convincing the verifier.
Details on the definition
This is a more rigorous definition of Validity:[2]
Let be a witness relation, the set of all witnesses for public value , and the knowledge error. A proof of knowledge is -valid if there exists a polynomial-time machine , given oracle access to , such that for every , it is the case that and
The result signifies that the Turing machine did not come to a conclusion.
The knowledge error denotes the probability that the verifier might accept , even though the prover does in fact not know a witness . The knowledge extractor is used to express what is meant by the knowledge of a Turing machine. If can extract from , we say that knows the value of .
This definition of the validity property is a combination of the validity and strong validity properties in.[2] For small knowledge errors , such as e.g. or it can be seen as being stronger than the soundness of ordinary interactive proofs.
Relation to general interactive proofs
In order to define a specific proof of knowledge, one need not only define the language, but also the witnesses the verifier should know. In some cases proving membership in a language may be easy, while computing a specific witness may be hard. This is best explained using an example:
Let be a cyclic group with generator in which solving the discrete logarithm problem is believed to be hard. The deciding membership of the language is trivial, as every is in . However, finding the witness such that holds corresponds to solving the discrete logarithm problem.
Protocols
Schnorr protocol
One of the simplest and frequently used proofs of knowledge, the proof of knowledge of a discrete logarithm, is due to Schnorr.[3] The protocol is defined for a cyclic group of order with generator .
In order to prove knowledge of , the prover interacts with the verifier as follows:
- In the first round the prover commits herself to randomness ; therefore the first message is also called commitment.
- The verifier replies with a challenge chosen at random.
- After receiving , the prover sends the third and last message (the response) .
Sigma protocols
Protocols which have the above three-move structure (commitment, challenge and response) are called sigma protocols. The Greek letter visualizes the flow of the protocol. Sigma protocols exist for proving various statements, such as those pertaining to discrete logarithms. Using these proofs, the prover can not only prove the knowledge of the discrete logarithm, but also that the discrete logarithm is of a specific form. For instance, it is possible to prove that two logarithms of and with respect to bases and are equal or fulfill some other linear relation. For a and b elements of , we say that the prover proves knowledge of and such that and . Equality corresponds to the special case where a = 1 and b = 0. As can be trivially computed from this is equivalent to proving knowledge of an x such that .
This is the intuition behind the following notation, which is commonly used to express what exactly is proven by a proof of knowledge.
states that the prover knows an x that fulfills the relation above.
Applications
Proofs of knowledge are useful tool for the construction of identification protocols, and in their non-interactive variant, signature schemes. Such schemes are:
They are also used in the construction of group signature and anonymous digital credential systems.
See also
- Cryptographic protocol
- Zero-knowledge proof
- interactive proof system
- Topics in cryptography
- Zero-knowledge password proof
- Soundness (interactive proof)
References
- ↑ Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof-systems. Proceedings of 17th Symposium on the Theory of Computation, Providence, Rhode Island. 1985. Draft. Extended abstract
- ↑ 2.0 2.1 Mihir Bellare, Oded Goldreich: On Defining Proofs of Knowledge. CRYPTO 1992: 390–420
- ↑ C P Schnorr, Efficient identification and signatures for smart cards, in G Brassard, ed. Advances in Cryptology – Crypto '89, 239–252, Springer-Verlag, 1990. Lecture Notes in Computer Science, nr 435