[Cryptography] Is Non-interactive Zero Knowledge Proof an oxymoron?
Benjamin Kreuter
brk7bx at virginia.edu
Sat Mar 12 22:04:59 EST 2016
On Sat, 2016-03-12 at 05:23 +0000, Charlie Kaufman wrote:
> This is really a question about terminology. I've been trying to come
> up with a definition of a Zero Knowledge Proof. Most that I have seen
> in the literature say that a Zero Knowledge Proof is an interaction
> between - say - Alice and Bob, where Alice proves knowledge of some
> secret but Bob gains no information other than that he is interacting
> with someone who knows the secret. In particular, he could generate
> the entire conversation himself and so cannot prove to a third party
> that he has interacted with Alice.
That intuition works in the standard model, but the actual definition
only requires that a simulator exists, which in other models might
violate that intuition. For example, in the random oracle model the
simulator also simulates the random oracle itself (this is what gives
the ROM its power), so the deniability property you are describing does
not necessarily hold (the simulation might require control over the
random oracle, which no real party should have).
Here is a relevant that you might want to read:
https://www.iacr.org/archive/crypto2003/27290315/27290315.ps
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160312/0ae34dc7/attachment.sig>
More information about the cryptography
mailing list