Li H D, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2475
zero-knowledge proof of knowledge protocol for NP, we need a new approach that enables the black-box
simulator and knowledge extractor to work efficiently.
Our approach to solving the problem is to let the challenge be jointly determined by both the prover
and verifier, and then no one can learns or controls it in advance. The advantage that this approach
holds is that the challenge is independent of the prover’s first commitment, and does not need to have
been committed in advance. Thus, on the one hand, the classical knowledge extraction strategy can work
efficiently. On the other hand, instead of modifying the commitment to fit the challenges as usual, the
simulator can try to modify the random challenges by itself in order to give a simulated proof. This is
possible because the random challenge are jointly determined by both the prover and verifier. In other
words, this interactive proof can admit both a (black-box) simulator and a knowledge extractor.
1.3 Organization
In Section 2, the standard definitions and cryptographic tools used in our protocols are presented. We
give a 7-round zero-knowledge proof of knowledge for HC in Section 3. In Section 4, we construct an
optimal-round (5-round) zero-knowledge proof of knowledge for HC.
2 Preliminaries
In this paper, we use some standard notations. If A(·) is a probabilistic algorithm, A(x)istheresult
of running A on input x and y = A(x)denotethaty is set to A(x). For a finite set S,wedenoteby
y ∈
R
S that y is uniformly selected from S.WewriteU
n
to denote a uniform distribution over {0, 1}
n
and poly (·) to denote an unspecified polynomial. As usual, R
L
is the corresponding relation of L ∈ NP.
2.1 Zero-knowledge proof
We recall the definitions of zero-knowledge. These formal definitions are taken from [1,4].
Let P and V be a pair of interactive Turing machines, P, V (x) be a random variable representing
the local output of Turing machine V when interacting with machine P on common input x, when the
random input to each machine is uniformly and independently chosen. Customarily, machine P is called
the prover and machine V is called the verifier. We denote by P, V (x)=1(P, V (x) = 0) that machine
V accepts (rejects) the proofs given by machine P .
Definition 2.1. A pair of interactive Turing machines P, V is called an interactive proof system for
a language L if machine V is polynomial-time and the following two conditions hold:
• Completeness: there exists a negligible function c such that for every x ∈ L,
Pr[P, V (x)=1]> 1 − c(|x|).
• Soundness: there exists a negligible function s such that for every x/∈ L and every interactive
machine B,
Pr[B,V (x)=1]
<s(|x|),
c(·) is called the completeness error, and s(·) the soundness error. In the case where the soundness
condition is required to hold only with respect to a probabilistic polynomial-time prover, P, V is called
an interactive arguments system for L.
An interactive proof is said to be zero-knowledge if the interaction between the prover and verifier
reveals nothing beyond the validity of the assertion to be proved to the verifier. This is formalized by
requiring that for any polynomial-time verifier V
∗
there exists a polynomial-time algorithm S
V
∗
(a.k.a
the simulator) such that the view of V
∗
can be simulated by S
V
∗
. The idea behind this definition is that
whatever V
∗
might have learned from interacting with P , could actually have been obtained by itself.
We denote by View
P
V
∗
(x) a random variable describing the content of the random tape of V
∗
and the
messages V
∗
receives during the interaction with P on common input x.