常数轮零知识证明NP问题的新进展
4 浏览量
更新于2024-08-27
收藏 550KB PDF 举报
"Round-optimal zero-knowledge proofs of knowledge for NP"
本文主要探讨的是在密码学领域中的一个核心问题,即是否存在一种在NP(非确定性多项式时间)问题上能够实现常数轮次的黑盒零知识证明知识系统。零知识证明是一种允许一方(证明者)向另一方(验证者)证明他们知道某个信息,而无需揭示该信息的实际内容的协议。特别是,证明者可以证实他们知道解某个复杂问题(如图的哈密顿回路问题,即HC问题)的解决方案,而不泄露任何实质性的信息。
一直以来,已知的所有黑盒零知识证明知识系统都需要非常数轮次的交互来确保安全性。这意味着随着证明过程的进行,证明者和验证者之间的通信次数会随着问题的复杂度而增加。然而,是否能在特定的标准假设下设计出仅需固定轮次的这种证明系统,长期以来一直是一个未解决的问题。
该研究论文由李洪达、冯登国、李宝和薛海霞四位作者共同完成,他们在2012年发表于《中国科学:信息科学》的科研论文中,对这一问题给出了肯定的回答。他们提出了两个针对哈密顿回路问题的常数轮次(黑盒)零知识证明知识构造。这两个构造方法显著地减少了证明过程中所需的交互次数,使得证明过程更加高效且安全。
哈密顿回路问题是指在一个图中找到一个经过每个顶点恰好一次的回路,这是一个典型的NP问题。通过引入这些新的证明构造,研究人员不仅解决了NP问题的零知识证明的轮次效率问题,也为更广泛的零知识证明系统设计提供了可能的思路。
这些成果对于密码学、网络安全以及分布式计算等领域具有重要意义,因为它们提供了一种更为隐私保护的验证方式,特别是在需要验证某人确实知道复杂问题解决方案但又不希望泄露解决方案细节的情况下。此外,这些常数轮次的证明系统还能减轻通信开销,提高系统的可扩展性和效率。
这篇论文解决了关于常数轮次黑盒零知识证明知识的开放性问题,对于理解并优化零知识证明机制有重大贡献,为未来的密码学研究和应用开辟了新的方向。
Li H D, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2475
zero-knowledge proof of knowledge protocol for NP, we need a new approach that enables the black-box
simulator and knowledge extractor to work efficiently.
Our approach to solving the problem is to let the challenge be jointly determined by both the prover
and verifier, and then no one can learns or controls it in advance. The advantage that this approach
holds is that the challenge is independent of the prover’s first commitment, and does not need to have
been committed in advance. Thus, on the one hand, the classical knowledge extraction strategy can work
efficiently. On the other hand, instead of modifying the commitment to fit the challenges as usual, the
simulator can try to modify the random challenges by itself in order to give a simulated proof. This is
possible because the random challenge are jointly determined by both the prover and verifier. In other
words, this interactive proof can admit both a (black-box) simulator and a knowledge extractor.
1.3 Organization
In Section 2, the standard definitions and cryptographic tools used in our protocols are presented. We
give a 7-round zero-knowledge proof of knowledge for HC in Section 3. In Section 4, we construct an
optimal-round (5-round) zero-knowledge proof of knowledge for HC.
2 Preliminaries
In this paper, we use some standard notations. If A(·) is a probabilistic algorithm, A(x)istheresult
of running A on input x and y = A(x)denotethaty is set to A(x). For a finite set S,wedenoteby
y ∈
R
S that y is uniformly selected from S.WewriteU
n
to denote a uniform distribution over {0, 1}
n
and poly (·) to denote an unspecified polynomial. As usual, R
L
is the corresponding relation of L ∈ NP.
2.1 Zero-knowledge proof
We recall the definitions of zero-knowledge. These formal definitions are taken from [1,4].
Let P and V be a pair of interactive Turing machines, P, V (x) be a random variable representing
the local output of Turing machine V when interacting with machine P on common input x, when the
random input to each machine is uniformly and independently chosen. Customarily, machine P is called
the prover and machine V is called the verifier. We denote by P, V (x)=1(P, V (x) = 0) that machine
V accepts (rejects) the proofs given by machine P .
Definition 2.1. A pair of interactive Turing machines P, V is called an interactive proof system for
a language L if machine V is polynomial-time and the following two conditions hold:
• Completeness: there exists a negligible function c such that for every x ∈ L,
Pr[P, V (x)=1]> 1 − c(|x|).
• Soundness: there exists a negligible function s such that for every x/∈ L and every interactive
machine B,
Pr[B,V (x)=1]
<s(|x|),
c(·) is called the completeness error, and s(·) the soundness error. In the case where the soundness
condition is required to hold only with respect to a probabilistic polynomial-time prover, P, V is called
an interactive arguments system for L.
An interactive proof is said to be zero-knowledge if the interaction between the prover and verifier
reveals nothing beyond the validity of the assertion to be proved to the verifier. This is formalized by
requiring that for any polynomial-time verifier V
∗
there exists a polynomial-time algorithm S
V
∗
(a.k.a
the simulator) such that the view of V
∗
can be simulated by S
V
∗
. The idea behind this definition is that
whatever V
∗
might have learned from interacting with P , could actually have been obtained by itself.
We denote by View
P
V
∗
(x) a random variable describing the content of the random tape of V
∗
and the
messages V
∗
receives during the interaction with P on common input x.
剩余13页未读,继续阅读
2019-03-28 上传
2020-09-13 上传
2013-11-28 上传
2023-03-31 上传
2023-03-31 上传
2023-03-31 上传
2023-03-31 上传
2023-05-15 上传
2023-07-11 上传
weixin_38692666
- 粉丝: 6
- 资源: 914
我的内容管理
展开
最新资源
- 李兴华Java基础教程:从入门到精通
- U盘与硬盘启动安装教程:从菜鸟到专家
- C++面试宝典:动态内存管理与继承解析
- C++ STL源码深度解析:专家级剖析与关键技术
- C/C++调用DOS命令实战指南
- 神经网络补偿的多传感器航迹融合技术
- GIS中的大地坐标系与椭球体解析
- 海思Hi3515 H.264编解码处理器用户手册
- Oracle基础练习题与解答
- 谷歌地球3D建筑筛选新流程详解
- CFO与CIO携手:数据管理与企业增值的战略
- Eclipse IDE基础教程:从入门到精通
- Shell脚本专家宝典:全面学习与资源指南
- Tomcat安装指南:附带JDK配置步骤
- NA3003A电子水准仪数据格式解析与转换研究
- 自动化专业英语词汇精华:必备术语集锦
