Proof of knowledge

Last updated December 06, 2023

In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds in 'convincing' a verifier that the prover knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself (as is the case for zero-knowledge proofs ^[1]) a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by polynomial time bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some language in NP.

Completeness: If $(x,w)\in R$ , then the prover $P$ who knows witness $w$ for $x$ succeeds in convincing the verifier $V$ of his knowledge. More formally: $\Pr(P(x,w)\leftrightarrow V(x)\rightarrow 1)=1$ , i.e. given the interaction between the prover P and the verifier V, the probability that the verifier is convinced is 1.
Validity: Validity requires that the success probability of a knowledge extractor $E$ in extracting the witness, given oracle access to a possibly malicious prover ${\tilde {P}}$ , must be at least as high as the success probability of the prover ${\tilde {P}}$ in convincing the verifier. This property guarantees that no prover that doesn't know the witness can succeed in convincing the verifier.

Details on the definition

This is a more rigorous definition of Validity:^[2]

Let $R$ be a witness relation, $W(x)$ the set of all witnesses for public value $x$ , and $\kappa$ the knowledge error. A proof of knowledge is $\kappa$ -valid if there exists a polynomial-time machine $E$ , given oracle access to ${\tilde {P}}$ , such that for every ${\tilde {P}}$ , it is the case that $E^{{\tilde {P}}(x)}(x)\in W(x)\cup \{\bot \}$ and $\Pr(E^{{\tilde {P}}(x)}(x)\in W(x))\geq \Pr({\tilde {P}}(x)\leftrightarrow V(x)\rightarrow 1)-\kappa (x).$

The result $\bot$ signifies that the Turing machine $E$ did not come to a conclusion.

The knowledge error $\kappa (x)$ denotes the probability that the verifier $V$ might accept $x$ , even though the prover does in fact not know a witness $w$ . The knowledge extractor $E$ is used to express what is meant by the knowledge of a Turing machine. If $E$ can extract $w$ from ${\tilde {P}}$ , we say that ${\tilde {P}}$ knows the value of $w$ .

This definition of the validity property is a combination of the validity and strong validity properties.^[2] For small knowledge errors $\kappa (x)$ , such as e.g. $2^{-80}$ or $1/\mathrm {poly} (|x|)$ it can be seen as being stronger than the soundness of ordinary interactive proofs.

Relation to general interactive proofs

In order to define a specific proof of knowledge, one need not only define the language, but also the witnesses the verifier should know. In some cases proving membership in a language may be easy, while computing a specific witness may be hard. This is best explained using an example:

Let $\langle g\rangle$ be a cyclic group with generator $g$ in which solving the discrete logarithm problem is believed to be hard. Deciding membership of the language $L=\{x\mid g^{w}=x\}$ is trivial, as every $x$ is in $\langle g\rangle$ . However, finding the witness $w$ such that $g^{w}=x$ holds corresponds to solving the discrete logarithm problem.

Protocols

Schnorr protocol

One of the simplest and frequently used proofs of knowledge, the proof of knowledge of a discrete logarithm , is due to Schnorr.^[3] The protocol is defined for a cyclic group $G_{q}$ of order $q$ with generator $g$ .

In order to prove knowledge of $x=\log _{g}y$ , the prover interacts with the verifier as follows:

In the first round the prover commits himself to randomness $r$ ; therefore the first message $t=g^{r}$ is also called commitment.
The verifier replies with a challenge $c$ chosen at random.
After receiving $c$ , the prover sends the third and last message (the response) $s=r+cx$ reduced modulo the order of the group.

The verifier accepts, if $g^{s}=ty^{c}$ .

We can see this is a valid proof of knowledge because it has an extractor that works as follows:

Simulate the prover to output $t=g^{r}$ . The prover is now in state $Q$ .
Generate random value $c_{1}$ and input it to the prover. It outputs $s_{1}=r+c_{1}x$ .
Rewind the prover to state $Q$ . Now generate a different random value $c_{2}$ and input it to the prover to get $s_{2}=r+c_{2}x$ .
Output $(s_{1}-s_{2})(c_{1}-c_{2})^{-1}$ .

Since $(s_{1}-s_{2})=(r+c_{1}x)-(r+c_{2}x)=x(c_{1}-c_{2})$ , the output of the extractor is precisely $x$ .

This protocol happens to be zero-knowledge, though that property is not required for a proof of knowledge.

Sigma protocols

Protocols which have the above three-move structure (commitment, challenge and response) are called sigma protocols.^[4] The naming originates from Sig, referring to the zig-zag symbolizing the three moves of the protocol, and MA, an abbreviation of "Merlin-Arthur".^[5] Sigma protocols exist for proving various statements, such as those pertaining to discrete logarithms. Using these proofs, the prover can not only prove the knowledge of the discrete logarithm, but also that the discrete logarithm is of a specific form. For instance, it is possible to prove that two logarithms of $y_{1}$ and $y_{2}$ with respect to bases $g_{1}$ and $g_{2}$ are equal or fulfill some other linear relation. For a and b elements of $Z_{q}$ , we say that the prover proves knowledge of $x_{1}$ and $x_{2}$ such that $y_{1}=g_{1}^{x_{1}}\land y_{2}=g_{2}^{x_{2}}$ and $x_{2}=ax_{1}+b$ . Equality corresponds to the special case where a = 1 and b = 0. As $x_{2}$ can be trivially computed from $x_{1}$ this is equivalent to proving knowledge of an x such that $y_{1}=g_{1}^{x}\land y_{2}={(g_{2}^{a})}^{x}g_{2}^{b}$ .

This is the intuition behind the following notation,^[6] which is commonly used to express what exactly is proven by a proof of knowledge.

PK\{(x):y_{1}=g_{1}^{x}\land y_{2}={(g_{2}^{a})}^{x}g_{2}^{b}\},

states that the prover knows an x that fulfills the relation above.

Applications

Proofs of knowledge are useful tool for the construction of identification protocols, and in their non-interactive variant, signature schemes. Such schemes are:

Schnorr signature

They are also used in the construction of group signature and anonymous digital credential systems.

Related Research Articles

In mathematics, a topological space is called separable if it contains a countable, dense subset; that is, there exists a sequence $of elements of the space such that every nonempty open subset of the space contains at least one element of the sequence.$

<span class="mw-page-title-main">Curvature</span> Mathematical measure of how much a curve or surface deviates from flatness

In mathematics, curvature is any of several strongly related concepts in geometry. Intuitively, the curvature is the amount by which a curve deviates from being a straight line, or a surface deviates from being a plane.

In computational complexity theory, an interactive proof system is an abstract machine that models computation as the exchange of messages between two parties: a prover and a verifier. The parties interact by exchanging messages in order to ascertain whether a given string belongs to a language or not. The prover possesses unlimited computational resources but cannot be trusted, while the verifier has bounded computation power but is assumed to be always honest. Messages are sent between the verifier and prover until the verifier has an answer to the problem and has "convinced" itself that it is correct.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm that was described by Claus Schnorr. It is a digital signature scheme known for its simplicity, among the first whose security is based on the intractability of certain discrete logarithm problems. It is efficient and generates short signatures. It was covered by U.S. Patent 4,995,082 which expired in February 2008.

In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party can prove to another party that a given statement is true, while avoiding conveying to the verifier any information beyond the mere fact of the statement's truth. The intuition underlying zero-knowledge proofs is that it is trivial to prove the possession of certain information by simply revealing it; the challenge is to prove this possession without revealing the information, or any aspect of it whatsoever.

An undeniable signature is a digital signature scheme which allows the signer to be selective to whom they allow to verify signatures. The scheme adds explicit signature repudiation, preventing a signer later refusing to verify a signature by omission; a situation that would devalue the signature in the eyes of the verifier. It was invented by David Chaum and Hans van Antwerpen in 1989.

<span class="mw-page-title-main">Grothendieck–Riemann–Roch theorem</span>

In mathematics, specifically in algebraic geometry, the Grothendieck–Riemann–Roch theorem is a far-reaching result on coherent cohomology. It is a generalisation of the Hirzebruch–Riemann–Roch theorem, about complex manifolds, which is itself a generalisation of the classical Riemann–Roch theorem for line bundles on compact Riemann surfaces.

In computational complexity theory, the class IP is the class of problems solvable by an interactive proof system. It is equal to the class PSPACE. The result was established in a series of papers: the first by Lund, Karloff, Fortnow, and Nisan showed that co-NP had multiple prover interactive proofs; and the second, by Shamir, employed their technique to establish that IP=PSPACE. The result is a famous example where the proof does not relativize.

In directional statistics, the von Mises–Fisher distribution, is a probability distribution on the $-sphere in . If the distribution reduces to the von Mises distribution on the circle.$

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol,cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that (i) can be verified publicly.

In proof theory, ordinal analysis assigns ordinals to mathematical theories as a measure of their strength. If theories have the same proof-theoretic ordinal they are often equiconsistent, and if one theory has a larger proof-theoretic ordinal than another it can often prove the consistency of the second theory.

In cryptography, the socialist millionaire problem is one in which two millionaires want to determine if their wealth is equal without disclosing any information about their riches to each other. It is a variant of the Millionaire's Problem whereby two millionaires wish to compare their riches to determine who has the most wealth without disclosing any information about their riches to each other.

In cryptography, the anonymous veto network is a multi-party secure computation protocol to compute the boolean-OR function. It was first proposed by Feng Hao and Piotr Zieliński in 2006. This protocol presents an efficient solution to the Dining cryptographers problem.

The Password Authenticated Key Exchange by Juggling is a password-authenticated key agreement protocol, proposed by Feng Hao and Peter Ryan. This protocol allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie–Hellman key exchange protocol.

In graph theory, the De Bruijn–Erdős theorem relates graph coloring of an infinite graph to the same problem on its finite subgraphs. It states that, when all finite subgraphs can be colored with $colors, the same is true for the whole graph. The theorem was proved by Nicolaas Govert de Bruijn and Paul Erdős (1951), after whom it is named.$

In cryptography, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it. This way, some fact can be publicly proven without revealing underlying information. The technique is due to Amos Fiat and Adi Shamir (1986). For the method to work, the original interactive proof must have the property of being public-coin, i.e. verifier's random coins are made public throughout the proof protocol.

The YAK is a public-key authenticated key-agreement protocol, proposed by Feng Hao in 2010. It is claimed to be the simplest authenticated key exchange protocol among the related schemes, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The security of YAK is disputed.

In the mathematical field of group theory, an Artin transfer is a certain homomorphism from an arbitrary finite or infinite group to the commutator quotient group of a subgroup of finite index. Originally, such mappings arose as group theoretic counterparts of class extension homomorphisms of abelian extensions of algebraic number fields by applying Artin's reciprocity maps to ideal class groups and analyzing the resulting homomorphisms between quotients of Galois groups. However, independently of number theoretic applications, a partial order on the kernels and targets of Artin transfers has recently turned out to be compatible with parent-descendant relations between finite p-groups, which can be visualized in descendant trees. Therefore, Artin transfers provide a valuable tool for the classification of finite p-groups and for searching and identifying particular groups in descendant trees by looking for patterns defined by the kernels and targets of Artin transfers. These strategies of pattern recognition are useful in purely group theoretic context, as well as for applications in algebraic number theory concerning Galois groups of higher p-class fields and Hilbert p-class field towers.

In statistics, the complex Wishart distribution is a complex version of the Wishart distribution. It is the distribution of $times the sample Hermitian covariance matrix of zero-mean independent Gaussian random variables. It has support for Hermitian positive definite matrices.$

References

↑ Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof-systems. Proceedings of 17th Symposium on the Theory of Computation, Providence, Rhode Island. 1985. Draft. Extended abstract
1 2 Mihir Bellare, Oded Goldreich: On Defining Proofs of Knowledge. CRYPTO 1992: 390–420
↑ C P Schnorr, Efficient identification and signatures for smart cards, in G Brassard, ed. Advances in Cryptology – Crypto '89, 239–252, Springer-Verlag, 1990. Lecture Notes in Computer Science, nr 435
↑ On Sigma protocols
↑ Modular Design of Secure yet Practical Cryptographic Protocols
↑ Proof Systems for General Statements about Discrete Logarithms

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof-systems. Proceedings of 17th Symposium on the Theory of Computation, Providence, Rhode Island. 1985. Draft. Extended abstract

[odpk-2] 1 2 Mihir Bellare, Oded Goldreich: On Defining Proofs of Knowledge. CRYPTO 1992: 390–420

[3] C P Schnorr, Efficient identification and signatures for smart cards, in G Brassard, ed. Advances in Cryptology – Crypto '89, 239–252, Springer-Verlag, 1990. Lecture Notes in Computer Science, nr 435

[4] On Sigma protocols

[5] Modular Design of Secure yet Practical Cryptographic Protocols

[6] Proof Systems for General Statements about Discrete Logarithms

[1]

[2]

[3]

[4]

[5]

[6]