3-round weak zero-knowledge proofs for [Nu] [Rho]

Author(s)
Lim, Dah-Yoh, 1978-
Thumbnail
DownloadFull printable version (2.542Mb)
Alternative title
Three-round weak ZK proofs for [Nu] [Rho]
Other Contributors
Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
Advisor
Shafi Goldwasser.
Terms of use
M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582
Metadata
Show full item record
Abstract
(cont.) to the verifier.
 
We consider an implementation of a weakened notion of zero-knowledge (weak ZK) where the simulator is also allowed to depend on the distinguisher as well, so this type of ZK entails exhibiting an efficient simulator for every efficient (Verifier, Distinguisher) pair. This notion is interesting because in many applications of ZK protocols, weak ZK is actually enough. In addition, Goldreich and Krawczyk's proof (SICOMP 1996) of the non-existence 1 of 3-round black-box ZK protocols carries over to weak ZK directly, so we know that 3-round black-box weak ZK protocols do not exist. In this thesis we are concerned with 3-round proofs for hP: under the standard computational Diffie-Hellman assumption, we construct a 3-round weak ZK proof for NP [nu rho] with inverse-polynomial soundness error. To the best of our knowledge, there have been two constructive results, of Hada and Tanaka (Crypto 1998) and Lepinski (MIT Master's thesis 2001) respectively, stating that assuming some non-standard assumptions, 3-round (traditional) ZK protocols (arguments or proofs respectively) for NP [nu rho] with negligible soundness error do exist. We use the idea of intertwining Oblivious Transfer with a ZK protocol given by Lepinski to prove our result. For every verifier and distinguisher, we construct a different simulator. The technique of simulation is novel and we believe it will have future uses. For instance, our protocol is actually WI with negligible soundness error, by virtue of Feige and Shamir's result (STOC 1990) that WI protocols do compose in parallel. Furthermore, since the first two rounds of our protocol are actually independent of the theorem to be proven, we can think of these two rounds as an interactive setup phase after which the prover can non-interactively prove
 
Description
Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2004.
 
In title on t.p., "[Nu]" and "[Rho]" appear as upper-case Greek letters.
 
Includes bibliographical references (p. 57-61).
 
Date issued
2004
URI
http://hdl.handle.net/1721.1/28547
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Publisher
Massachusetts Institute of Technology
Keywords
Electrical Engineering and Computer Science.
Collections