mirror of https://github.com/zcash/zips.git
Give a definition of statistical zero knowledge.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
8de5358871
commit
d6f015c1e5
|
@ -664,6 +664,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ZKSatisfying}{\mathsf{ZK.SatisfyingInputs}}
|
||||
\newcommand{\ZKProve}[1]{\mathsf{ZK.}\mathtt{Prove}_{#1}}
|
||||
\newcommand{\ZKVerify}[1]{\mathsf{ZK.}\mathtt{Verify}_{#1}}
|
||||
\newcommand{\Simulator}{\mathcal{S}}
|
||||
\newcommand{\Distinguisher}{\mathcal{D}}
|
||||
\newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}}
|
||||
\newcommand{\ZKJoinSplit}{\mathsf{ZK}_{\JoinSplit}}
|
||||
\newcommand{\ZKJoinSplitVerify}{\ZKJoinSplit\mathsf{.Verify}}
|
||||
|
@ -673,6 +675,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\JoinSplitProof}{\Proof_{\JoinSplit}}
|
||||
\newcommand{\zkproof}{\mathtt{zkproof}}
|
||||
\newcommand{\POUR}{\texttt{POUR}}
|
||||
\newcommand{\Prob}[2]{\mathrm{Pr}\scalebox{0.88}{\ensuremath{
|
||||
\left[\!\!\begin{array}{c}#1\end{array} \middle| \begin{array}{l}#2\end{array}\!\!\right]
|
||||
}}}
|
||||
|
||||
% JoinSplit
|
||||
\newcommand{\hSig}{\mathsf{h_{Sig}}}
|
||||
|
@ -1493,8 +1498,18 @@ a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors
|
|||
$\CommitTrapdoor$.
|
||||
|
||||
Let $\Commit{} \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$
|
||||
be a function satisfying the security requirements of computational hiding
|
||||
and computational binding, as defined in \todo{need reference}.
|
||||
be a function satisfying the security requirements below.
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
|
||||
the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
|
||||
and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
|
||||
computationally indistinguishable.
|
||||
\item \textbf{Computational binding:} It is infeasible to find
|
||||
$x, x' \typecolon \CommitInput$ and
|
||||
$r, r' \typecolon \CommitTrapdoor$
|
||||
such that $x \neq x'$ and $\Commit{r}(x) = \Commit{r'}(x')$.
|
||||
\end{securityrequirements}
|
||||
|
||||
|
||||
\nsubsubsection{\ZeroKnowledgeProvingSystem} \label{abstractzk}
|
||||
|
@ -1533,19 +1548,44 @@ $x \typecolon \ZKPrimary$ and proof $\Proof \typecolon \ZKProof$ such that $\ZKV
|
|||
there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$
|
||||
returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is negligable.
|
||||
\item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical
|
||||
zero knowledge. \todo{Full definition.}
|
||||
zero knowledge. That is, there is a feasible stateful simulator $\Simulator$ such that,
|
||||
for all stateful distinguishers $\Distinguisher$, the following two probabilities are
|
||||
negligibly close:
|
||||
\vspace{0.5ex}
|
||||
|
||||
$\;\;\Prob{
|
||||
(x, w) \in \ZKSatisfying \\
|
||||
\Distinguisher(\Proof) = 1
|
||||
}{
|
||||
(\pk, \vk) \leftarrowR \ZKGen() \\
|
||||
(x, w) \leftarrowR \Distinguisher(\pk, \vk) \\
|
||||
\Proof \leftarrowR \ZKProve{\pk}(x, w)
|
||||
}
|
||||
\text{\; and \;}
|
||||
\Prob{
|
||||
(x, w) \in \ZKSatisfying \\
|
||||
\Distinguisher(\Proof) = 1
|
||||
}{
|
||||
(\pk, \vk) \leftarrowR \Simulator() \\
|
||||
(x, w) \leftarrowR \Distinguisher(\pk, \vk) \\
|
||||
\Proof \leftarrowR \Simulator(x)
|
||||
}$
|
||||
\end{securityrequirements}
|
||||
|
||||
These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to
|
||||
state concrete rather than asymptotic security. ($\ZKProve{}$ corresponds to $P$,
|
||||
$\ZKVerify{}$ corresponds to $V$, and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$
|
||||
in the notation of that appendix.)
|
||||
state concrete security for a fixed circuit, rather than asymptotic security for
|
||||
arbitrary circuits. ($\ZKProve{}$ corresponds to $P$, $\ZKVerify{}$ corresponds to $V$,
|
||||
and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ in the notation of that appendix.)
|
||||
|
||||
The Proof of Knowledge definition is a way to formalize the property that it is
|
||||
infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without
|
||||
\emph{knowing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
|
||||
(It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives
|
||||
no information that helps to find a proof for other $(x, w)$.)
|
||||
Note that Proof of Knowledge implies Soundness --- i.e.\ the property that it is
|
||||
infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without
|
||||
\emph{there existing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
|
||||
|
||||
It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives
|
||||
no information that helps to find a proof for other $(x, w)$.
|
||||
|
||||
The \provingSystem is instantiated in \crossref{proofs}.
|
||||
$\ZKJoinSplit$ refers to this \provingSystem specialized to the \joinSplitStatement
|
||||
|
@ -4035,6 +4075,15 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\introlist
|
||||
\nsection{Change history}
|
||||
|
||||
\subparagraph{2017.0-beta-2.2}
|
||||
|
||||
\begin{itemize}
|
||||
\item Give definitions of computational binding and computational hiding
|
||||
for commitment schemes.
|
||||
\item Give a definition of statistical zero knowledge.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2017.0-beta-2.1}
|
||||
|
||||
\begin{itemize}
|
||||
|
|
Loading…
Reference in New Issue