[Cryptography] Is Non-interactive Zero Knowledge Proof an oxymoron?

Ron Garret ron at flownet.com
Sat Mar 12 11:47:02 EST 2016


On Mar 11, 2016, at 9:23 PM, Charlie Kaufman <charliekaufman at outlook.com> wrote:

> Often these digital signature schemes are called "Non-interactive Zero Knowledge Proofs", which seems to me very wrong. If Bob receives a Non-interactive Zero Knowledge Proof from Alice, he *can* prove to a third party that the message came from Alice, and he could not have generated the entire conversation himself.

No, because a NIZKP assumes that Bob and Alice share a common reference string drawn from a random distribution, which is the basis for the proof.  The proof doesn’t work between Bob and Charlie because Bob and Charlie don’t share that common reference string.

The NI part of NIZKP is slightly misleading because some interaction between Bob and Alice is required to establish the CRS between then.  But this can be done in advance, so it’s not considered part of the proof.

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160312/a0d12cce/attachment.html>


More information about the cryptography mailing list