Skip to main content
Article thumbnail
Location of Repository

600.641 Special Topics in Theoretical Cryptography 02/06/06 Lecture 6: ZK Continued and Proofs of Knowledge



At the end of last class, there were some questions about how simulators work. In particular, there was a question about why a verifier who hashes the messages of the prover was NOT a problem for the simulator we described for (sequential composition) 3COL, but was a problem for the simulator we described for the parallel composition of ISO. The same logic applies to the (sequential composition) ISO and the parallel composition for ISO. Let’s review these protocols and simulators. First, lets consider the ISO protocol. Recall the steps in this protocol with a verifier who chooses “G ” or “H ” based on a hash of the provers first message, rather than randomness: 1. Prover sends random permutation of G, C = φ(G). 2. Verifier sends “G ” if hash(C)=1 and “H ” if hash(C)=0. 3. Prover sends φ if “G ” received and φ∗π −1 if “H ” received. We’ll call this permutation α. 4. Verifier checks that C = α(G or H). Again, this is the same as the ISO example we have repeatedly seen, except for the fact that instead of the verifier randomly choosing “G ” or “H ” in step two, it is chosen base

Year: 2009
OAI identifier: oai:CiteSeerX.psu:
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • (external link)
  • (external link)
  • Suggested articles

    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.