Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....and that error probabilities are pre served, as in [BMO] it also works for zero knowledge proof of knowledge. 3.1 Implications The theorem has a few implications on languages and their proof systems (beyond giving a design tool) We discuss those briefly. Black box simulation: Oren [Or] forinalized the black box notion by saying that the simulator is a PPT oracle machine M which when asked to simulate a particular verifier is given that verifier as an oracle. Thus the same simulator works for all verifiers. Using our method we show that assuming any one way permutation, black ....

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

....that is invulnerable to o# line and impersonation attacks is interactive zero knowledge proofs. Goldwasser, Micali, and Racko# introduced the notion of interactive proof and zero knowledge in [4] Since then it has been the subject of intense research see [5] 6] 7] 8] 9] 10] 11] [12] [13] Particularly, in [7] Feige et. al show an elegant method for using an interactive zero knowledge proof to prove identity in a cryptographic protocol. Informally, an interactive proof is a two party conversation in which an infinitely powerful prover tries to convince a polynomial time ....

Y. Oren, "On the cunning power of cheating verifiers: Some observations about zero knowledge proofs," in Proc. 28th Ann. IEEE Symp. on Foundations of Computer Science, 1987, pp. 462--471.

....of zero knowledge where no verifier should be able to gain any additional knowledge from P . However since our proof already works for the less restrictive notion of zero knowledge we will not need the more restrictive definitions and hence we refer the interested reader to [GMR1] and to [GMR2] [O] and [TW] for a discussion of the definitions. Fortnow [F] proved that if L admits a polynomial round proof which is perfect or statistical zero knowledge for a trusted verifier then the complement of L is in IP [2] Our main result is that under the same assumption, L itself is in IP [2] We ....

Oren, Y., "On the Cunning Powers of Cheating Verifiers: Some Observations about ZeroKnowledge Proofs," Proc. of 28th Symposium on Foundations of Computer Science, pp 462--471, Los Angeles, 1987.

....of zero knowledge where no verifier should be able to gain any additional knowledge from P . However since our proof already works for the less restrictive notion of zero knowledge we will not need the more restrictive definitions and hence we refer the interested reader to [GMR1] and to [GMR2] [O] and [TW] for a discussion of the definitions. Fortnow [F] proved that if L admits a polynomial round proof which is perfect or statistical zero knowledge for a trusted verifier then the complement of L is in IP [2] Our main result is that under the same assumption, L itself is in IP [2] We ....

Oren, Y., "On the Cunning Powers of Cheating Verifiers: Some Observations about ZeroKnowledge Proofs," Proc. of 28th Symposium on Foundations of Computer Science, pp 462--471, Los Angeles, 1987.

....it has recently been shown by Shamir [S] that IP = PSPACE. In addition to defining interactive proofs, Goldwasser, Micali, and Rackoff [GMR] further defined zero knowledge interactive proofs. The zero knowledge definition was motivated by cryptographic considerations (see for example, GMR2] [O], GMW] Informally, a prover is zero knowledge for a language if the prover reveals no useful information (other than language membership) when interacting with any verifier. Slightly more formally, a prover is zero knowledge for L if for any verifier there is a probabilistic polynomial time ....

....to be made. All known statistical zero knowledge proofs have been converted to perfect zero knowledge proofs by letting the simulator run for a long time with exponentially small probability. This procedure is not possible for our language. Finally, our results in conjuction with a result of Oren [O] give evidence that the original definition of zero knowledge proposed in [GMR] is in fact less restrictive then the auxilary input model proposed in sereral papers [O] TW] GMR2] Oren showed that in the auxillary input model CZK[2] BPP . Our results hold in a model which is only slightly ....

[Article contains additional citation context not shown here]

Oren, Y. "On the Cunning Powers of Cheating Verifiers: Some Observations about Zero-Knowledge Proofs", Proc. of 28th Symposium on Foundations of Computer Science, pp 462--471, Los Angeles, 1987.

....over those D such that W (x; y) for every (x; y; z) that can be produced by D. Similarly, when we write 8x; y, it means 8x; y such that W (x; y) We begin the hierarchy using circuit family tests, because this was the choice made in the original paper [20] on zero knowledge (see also [18, 30]) Recall that S is an oracle machine in this definition. Definition 4.1 (Black Box Zero Knowledge (over W) 9S 8V 8x; y; z 8 dcf T j Pr[T ( P; V ) x; y; z) Gamma Pr[T (S V (x; z) j (n) where the probabilities are over the coin flips of P , V and S. In the next definition the ....

Y. Oren, On the cunning power of cheating verifiers: some observations about zero knowledge proofs, Proc. 28th IEEE Symp. on Foundations of Computer Science, 1987, pp. 462--471.

....denote the probability distribution of view generated by P and V on x 2 L. Generally, a probabilistic Turing machine has two inputs, a regular input and a random input. When we say that M u uses V as a black box, M u chooses the regular input and the random input to V . Definition 2. 3 [12][23] We say that (P; V ) is blackbox perfect zero knowledge on L if there exists an expected polynomial time machine M u such that for every probabilistic polynomial time machine V , P (x) V (x) and fM V u (x)g are qual. M u is called a simulator. 3 Promise problems and ZKIP 3.1 ....

Y.Oren: "On the cunning power of cheating verifiers: some observations about zero knowledge proofs" Proc. 28th FOCS, pp.462-471 (1987).

....prover is enough for a SZK proof. But in fact the ZK constraint may require a prover to be more powerful. So how powerful should a prover be for giving a ZK proof This question was raised by Joe Kilian. Feldman actually showed that a deterministic PSPACE prover suffices for IP. However Oren [17] showed that coin tosses are necessary: only for languages in BPP do there exist SZK proof systems with deterministic provers. A natural question then is whether probabilistic PSPACE is enough. We show (under a complexity assumption) that this is indeed the case. The prover s complexity should not ....

....may be necessary to have a different simulator for each verifier. A surprising fact, however, is that black box simulation suffices for all known zeroknowledge proofs. This leads us to ask whether any SZK language has a SZK proof of this form. That is the question we address in this section. Oren [17] formalized the black box notion by saying that the simulator was a PPT oracle machine M who when asked to simulate a particular verifier b V was given that verifier as an oracle: Definition 4.3 An interactive protocol (P; V ) for L is a black box simulation statistical zero knowledge (black ....

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

....the theorem holds even if we relax the definition of statistical zero knowledge and do not require the simulator to output private coin tosses of the verifier. In addition, many researchers were concerned about providing a better characterization of various properties of statistical zero knowledge [1, 3, 6, 22]. Its relationship to one way functions, however, remained unknown. Hence, we consider the following question: does statistical zero knowledge imply a one way function For trivial languages, which do not require any interaction (i.e. languages in BPP) the answer is no. That is, even if P=NP, ....

....assumption: THEOREM 2: If there exists any one way permutation, then for all statistical zero knowledge proofs, the prover need not be more powerful then a randomized NP machine. We note that it is necessary for our prover to be randomized (i.e. to be able to flip coins) since it was shown [22] that only languages in BPP have Statistical Zero Knowledge proofs with deterministic provers. In section 3 we present a stronger version of theorem 2 as well. 2 Preliminaries Most of the notations and definitions are standard, and appeared before in the literature (for example, see [2, 3, 8, 16, ....

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

....and that error probabilities are preserved, as in [BMO] it also works for zero knowledge proof of knowledge. 3.1 Implications The theorem has a few implications on languages and their proof systems (beyond giving a design tool) We discuss those briefly. ffl Black box simulation: Oren [Or] formalized the black box notion by saying that the simulator is a PPT oracle machine M which when asked to simulate a particular verifier b V is given that verifier as an oracle. Thus the same simulator works for all verifiers. Using our method we show that assuming any one way permutation, ....

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

....auxiliary input z. The auxiliary input is a standard tool that allows proving the composition theorem. Intuitively, the auxiliary input captures information gathered by the adversary from other interactions occurring before the current interaction. Auxiliary inputs were first introduced in [GO87], in the context of Zero Knowledge proofs; for discussion see [GO87, G95] The computation proceeds in rounds, where each round proceeds as follows. First the uncorrupted parties generate their messages of this round, as described in the protocol. That is, these messages appear on the outgoing ....

....allows proving the composition theorem. Intuitively, the auxiliary input captures information gathered by the adversary from other interactions occurring before the current interaction. Auxiliary inputs were first introduced in [GO87] in the context of Zero Knowledge proofs; for discussion see [GO87, G95]. The computation proceeds in rounds, where each round proceeds as follows. First the uncorrupted parties generate their messages of this round, as described in the protocol. That is, these messages appear on the outgoing communication tapes of the uncorrupted parties. The messages addressed to ....

O. Goldreich and Y. Oren, "On the cunning power of cheating verifiers: Some observations about Zero-Knowledge proofs", in preparation. Preliminary version by Y. Oren in 28th Symp. on Foundations of Computer Science (FOCS), 1987.

....indistinguishable from the distribution of the views of the verifier in the original interaction. The prover may be infinitely powerful (i.e. an interactive proof) or it may be computationally bounded (i.e. an argument) We consider black box zero knowledge as defined by Goldreich and Oren [19, 14], and refined in [12] 1.1. Related work There is a vast literature in the distributed computing community dealing with asynchronicity. Within the cryptology community, Beth and Desmedt [4] discuss such asynchronous attacks in the context of identification protocols, and proposed timing methods ....

....Section 6 we describe how to eliminate this restriction. 2. Preliminaries 2.1. Black Box Zero Knowledge The initial definition of zero knowledge [15] required that for any probabilistic polynomial time verifier V , a simulator S V exists that could simulate V s view. Goldreich and Oren [19, 14] propose a seemingly stronger, better behaved notion of zero knowledge, known as black box zero knowledge. The basic idea behind black box zeroknowledge is that instead of having a new simulator S V for each possible verifier, we have a single probabilistic polynomial time simulator S that ....

[Article contains additional citation context not shown here]

Y. Oren. On the cunning powers of cheating verifiers: Some observations about zero knowledge proofs. In Ashok K. Chandra, editor, Proceedings of the 28th Annual Symposium on Foundations of Computer Science, pages 462--471, Los Angeles, CA, October 1987. IEEE Computer Society Press.

....relation with k. 8 The auxiliary input is a standard tool that allows us to prove the composition theorem. Intuitively, the auxiliary input captures information gathered by the adversary from other interactions occurring before the current interaction. Auxiliary inputs were first introduced in [27], in the context of Zero Knowledge proofs. See more discussion there, as well as in [22] We remark that the adversary, being computationally unbounded, need not be randomized. In fact, our formalization of the security requirement will be a non uniform complexity one. In such a setting ....

....show that the modular composition theorem holds even if the ideal process adversary is not restricted to black box simulation. Recall that in the context of zero knowledge existence of a black box simulator implies existence of a simulator even for adversaries that have arbitrary auxiliary input [27]. Using the same technique, it can be seen that a similar result holds with respect to Definition 4. Remark 4: On universal adversaries. The introduction of the auxiliary input (and the quantification over all auxiliary inputs) makes the quantification over all real life adversaries unnecessary: ....

O. Goldreich and Y. Oren, "On the cunning power of cheating verifiers: Some observations about Zero-Knowledge proofs", in preparation. Preliminary version by Y. Oren in 28th FOCS, 1987.

.... statistical ZK are of (relatively) low complexity: results of Fortnow [12] and Aiello Hastad [1] imply that SZK AM co AM Sigma P 2 Pi P 2 (where SZK denotes the class of languages possessing statistical ZK interactive proofs of membership) We do know that coins are necessary: Oren [24] and Goldreich and Oren [15] show that any ZK prover for a non trivial language must be probabilistic. Upper bounds on the complexity of a statistical ZK prover have been established by making use of (unproven) complexity assumptions. The first such result was that of Bellare, Micali and Ostrovsky ....

.... and [26, 25] by a polynomial factor) ffl We can preserve perfect ZK if we allow the prover to have a Sigma P 2 oracle instead of an NP one (in previous solutions, even if the original proof system had been perfect ZK, the transformed one would be statistical) As in some of the results in [15, 24], one of the ideas in our proof is to make (appropriate) use of the auxiliary inputs that the definition of ZK provides (cf. 11, 15, 19, 24, 29] Previous solutions [5, 25, 26] did not exploit this feature of ZK. We note that auxiliary inputs are important to the definition of ZK: Goldreich ....

[Article contains additional citation context not shown here]

Y. Oren. On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs. Proceedings of the 28th Annual IEEE Symposium on the Foundations of Computer Science, IEEE (1987).

....This paper appears in Proceedings of the 20th ACM Symposium on Theory of Computing, 1988, pp. 53 65. 1 Introduction The notions of interactive proof and zero knowledge, introduced by Goldwasser, Micali, and Rackoff in [GMR85] have been the subject of extensive research (see, for example, [BC86, FFS87, For87, GHY85, GMW86, GS87, Ore87, TW87]) Informally, an interactive proof is a two party conversation in which an infinitely powerful prover tries to convince a polynomial time verifier of the truth of some fact (typically of the form x 2 L) through a sequence of interactions. Roughly speaking, such an interactive proof is said ....

....of (P; V ) is the number of steps taken by P and V , respectively, during the run. We assume that V is a probabilistic Turing machine running in time polynomial in jxj, and hence that it can 3 The motivation for allowing initial values on the verifier s and prover s work tapes can be found in [Ore87, TW87]. Allowing initial information on the prover s worktape is particularly important in the case of resource bounded provers considered in Section 6. perform only probabilistic, polynomial time computations during each round. For now we make no assumptions about the running time of P , although in ....

[Article contains additional citation context not shown here]

Y. Oren, On the cunning power of cheating verifiers: some observations about zero knowledge proofs, Proc. 28th IEEE Symp. on Foundations of Computer Science, 1987, pp. 462--471.

.... has an interactive proof with perfect completeness which is almost perfect zero knowledge with respect to the specified verifier (again see [F] for definition) 2) Every language having an interactive proof which is almost perfect zero knowledge and remains so under parallel composition (see [O] for definition) has an almost perfect zeroknowledge proof with perfect completeness. The key observation in proving both statements is that almost all sequences s can serve as sampling points (see proof of Lemma 1) and thus having the prover randomly select and send a good s does not yield ....

Oren, Y., "On the Cunning Power of Cheating Verifiers: Some Observations about ZeroKnowledge Proofs", Proc. 28th FOCS, 1987, pp. 462-471.

....in polynomial time, that the input belongs to the language L. Definition 3 A transcript of a conversation between machines V and P consists of the input string, the random bits of V , and the messages sent by the two parties. In the following definitions, we are using Oren s notation [25]. The verifier may have some auxiliary input y on his private auxiliary input tape. In his definitions of zeroknowledge, Oren takes into account the effect that this auxiliary input has on the communication between the two parties. When these definitions are used, as opposed to the original ....

....size. In our definition, we give c to the simulator, which then runs in an expected time which is polynomial in N c . Hence the simulator is expected polynomial time for fixed c. Other than allowing the simulator s running time to vary depending on c, this definition is identical to Oren s [25], and we are using similar notation. Definition 8 Let (P; V ) be a interactive proof system for L. Then (P; V ) is weak zeroknowledge if, for every probabilistic polynomial time machine V , there exists an algorithm M V (c; x; y) which runs in expected polynomial time for fixed c, such ....

Oren, Y. On the Cunning Power of Cheating Verifiers: some Observations About Zero Knowledge Proofs, Proc. 28th IEEE Symp. on Foundations of Computer Science, 1987, pp. 462-471.

....Vegas zero knowledge proof system necessarily belongs to RP . We show that randomness of both the verifier and the prover, and non triviality of the interaction are essential properties of (non trivial) auxiliary input zero knowledge proofs. Preliminary versions of this work have appeared in [O1, O2]. WARNING: The current text was automatiocally translated from old troff files. Such translations may introduce errors. Furthermore, I m not sure whether the source troff files I ve found are actually the onesw corresponding to the final version. Errors may be due to this fact too. The final ....

Oren, Y., "On the Cunning Power of Cheating Verifiers: Some Observations About Zero-Knowledge Proofs", Proc. 28th FOCS, 1987, pp. 462-471.

No context found.

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

No context found.

Oren Y., "On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs", FOCS 87.

No context found.

O. Goldreich and Y. Oren, "On the cunning power of cheating verifiers: Some observations about Zero-Knowledge proofs", in preparation. Preliminary version by Y. Oren in 28th Symp. on Foundations of Computer Science (FOCS), 1987.

No context found.

Y. Oren. On the cunning powers of cheating verifiers: Some observations about zero knowledge proofs. In Ashok K. Chandra, editor, Proceedings of the 28th Annual Symposium on Foundations of Computer Science, pages 462--471, Los Angeles, CA, October 1987. IEEE Computer Society Press.

No context found.

Y. Oren, "On the Cunning Power of Cheating Verifiers: Some Observations about Zero-Knowledge Proofs," Proceedings of the 28th Annual IEEE Symposium on the Foundations of Computer Science, IEEE (1987), pp. 462-471.

No context found.

O. Goldreich and Y. Oren, "On the cunning power of cheating verifiers: Some observations about Zero-Knowledge proofs", in preparation. Preliminary version by Y. Oren in 28th FOCS, 1987.

No context found.

Y. Oren. On The Cunning Power of Cheating Verifiers: Some Observations About Zero Knowledge Proofs. Proceedings of the 28th Annual IEEE Symposium on the Foundations of Computer Science, IEEE (1987).

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC