[Cryptography] Is Non-interactive Zero Knowledge Proof an oxymoron?
Jonathan Katz
jkatz at cs.umd.edu
Sun Mar 13 00:51:01 EST 2016
On Sat, Mar 12, 2016 at 12:23 AM, Charlie Kaufman
<charliekaufman at outlook.com> wrote:
> This is really a question about terminology. I've been trying to come up
> with a definition of a Zero Knowledge Proof. Most that I have seen in the
> literature say that a Zero Knowledge Proof is an interaction between - say -
> Alice and Bob, where Alice proves knowledge of some secret but Bob gains no
> information other than that he is interacting with someone who knows the
> secret. In particular, he could generate the entire conversation himself and
> so cannot prove to a third party that he has interacted with Alice.
>
>
> What Zero Knowledge Proofs are most often used for are to derive digital
> signature schemes, where the Zero Knowledge Proof is used as evidence that
> the digital signature scheme is secure. Often these digital signature
> schemes are called "Non-interactive Zero Knowledge Proofs", which seems to
> me very wrong. If Bob receives a Non-interactive Zero Knowledge Proof from
> Alice, he *can* prove to a third party that the message came from Alice, and
> he could not have generated the entire conversation himself.
>
>
> Is this a horrible abuse of language (where a Non-interactive Zero Knowledge
> Proof is not a kind of Zero Knowledge Proof, but rather a related thing that
> doesn't meet the definition). Or is there some way I can hold my head such
> that I can come up with a definition the encompasses both things?
Zero-knowledge proofs, zero-knowledge proofs of knowledge, and
non-interactive zero-knowledge proofs all have formal definitions; see
Goldreich's book or my own lectures notes
(http://www.cs.umd.edu/~jkatz/gradcrypto2/scribes.html) or papers in
the academic literature.
Although signatures can be constructed from zero-knowledge proofs,
signatures themselves are not zero-knowledge proofs and signatures can
be constructed in other ways as well.
The terms tend to get mixed up, misused, or abused outside an academic
context. If that happens, all bets are off. =)
More information about the cryptography
mailing list