3,487 research outputs found
Deterministic-Prover Zero-Knowledge Proofs
Zero-knowledge proof systems enable a prover to convince a verifier of the
validity of a statement without revealing anything beyond that fact. The role
of randomness in interactive proofs in general, and in zero-knowledge in
particular, is well known. In particular, zero-knowledge with a deterministic
verifier is impossible for non-trivial languages (outside of
). Likewise, it was shown by Goldreich and Oren (Journal of
Cryptology, 1994) that zero-knowledge with a deterministic prover is also
impossible for non-trivial languages. However, their proof holds only for
auxiliary-input zero knowledge and a malicious verifier.
In this paper, we initiate the study of the feasibility of zero-knowledge
proof systems with a deterministic prover in settings not covered by the
result of Goldreich and Oren. We prove the existence of deterministic-prover
auxiliary-input honest-verifier zero-knowledge for any
language, under standard assumptions. In addition, we show that any language
with a hash proof system has a deterministic-prover honest-verifier
statistical zero-knowledge proof, with an efficient prover. Finally, we show
that in some cases, it is even possible to achieve deterministic-prover
uniform zero-knowledge for a malicious verifier.
Our contribution is primarily conceptual, and sheds light on the necessity of
randomness in zero knowledge in settings where either the verifier is honest
or there is no auxiliary input
Increasing the power of the verifier in Quantum Zero Knowledge
In quantum zero knowledge, the assumption was made that the verifier is only
using unitary operations. Under this assumption, many nice properties have been
shown about quantum zero knowledge, including the fact that Honest-Verifier
Quantum Statistical Zero Knowledge (HVQSZK) is equal to Cheating-Verifier
Quantum Statistical Zero Knowledge (QSZK) (see [Wat02,Wat06]).
In this paper, we study what happens when we allow an honest verifier to flip
some coins in addition to using unitary operations. Flipping a coin is a
non-unitary operation but doesn't seem at first to enhance the cheating
possibilities of the verifier since a classical honest verifier can flip coins.
In this setting, we show an unexpected result: any classical Interactive Proof
has an Honest-Verifier Quantum Statistical Zero Knowledge proof with coins.
Note that in the classical case, honest verifier SZK is no more powerful than
SZK and hence it is not believed to contain even NP. On the other hand, in the
case of cheating verifiers, we show that Quantum Statistical Zero Knowledge
where the verifier applies any non-unitary operation is equal to Quantum
Zero-Knowledge where the verifier uses only unitaries.
One can think of our results in two complementary ways. If we would like to
use the honest verifier model as a means to study the general model by taking
advantage of their equivalence, then it is imperative to use the unitary
definition without coins, since with the general one this equivalence is most
probably not true. On the other hand, if we would like to use quantum zero
knowledge protocols in a cryptographic scenario where the honest-but-curious
model is sufficient, then adding the unitary constraint severely decreases the
power of quantum zero knowledge protocols.Comment: 17 pages, 0 figures, to appear in FSTTCS'0
A Protocol for Generating Random Elements with their Probabilities
We give an AM protocol that allows the verifier to sample elements x from a
probability distribution P, which is held by the prover. If the prover is
honest, the verifier outputs (x, P(x)) with probability close to P(x). In case
the prover is dishonest, one may hope for the following guarantee: if the
verifier outputs (x, p), then the probability that the verifier outputs x is
close to p. Simple examples show that this cannot be achieved. Instead, we show
that the following weaker condition holds (in a well defined sense) on average:
If (x, p) is output, then p is an upper bound on the probability that x is
output. Our protocol yields a new transformation to turn interactive proofs
where the verifier uses private random coins into proofs with public coins. The
verifier has better running time compared to the well-known Goldwasser-Sipser
transformation (STOC, 1986). For constant-round protocols, we only lose an
arbitrarily small constant in soundness and completeness, while our public-coin
verifier calls the private-coin verifier only once
Quantum Proofs
Quantum information and computation provide a fascinating twist on the notion
of proofs in computational complexity theory. For instance, one may consider a
quantum computational analogue of the complexity class \class{NP}, known as
QMA, in which a quantum state plays the role of a proof (also called a
certificate or witness), and is checked by a polynomial-time quantum
computation. For some problems, the fact that a quantum proof state could be a
superposition over exponentially many classical states appears to offer
computational advantages over classical proof strings. In the interactive proof
system setting, one may consider a verifier and one or more provers that
exchange and process quantum information rather than classical information
during an interaction for a given input string, giving rise to quantum
complexity classes such as QIP, QSZK, and QMIP* that represent natural quantum
analogues of IP, SZK, and MIP. While quantum interactive proof systems inherit
some properties from their classical counterparts, they also possess distinct
and uniquely quantum features that lead to an interesting landscape of
complexity classes based on variants of this model.
In this survey we provide an overview of many of the known results concerning
quantum proofs, computational models based on this concept, and properties of
the complexity classes they define. In particular, we discuss non-interactive
proofs and the complexity class QMA, single-prover quantum interactive proof
systems and the complexity class QIP, statistical zero-knowledge quantum
interactive proof systems and the complexity class \class{QSZK}, and
multiprover interactive proof systems and the complexity classes QMIP, QMIP*,
and MIP*.Comment: Survey published by NOW publisher
Perfect zero knowledge for quantum multiprover interactive proofs
In this work we consider the interplay between multiprover interactive
proofs, quantum entanglement, and zero knowledge proofs - notions that are
central pillars of complexity theory, quantum information and cryptography. In
particular, we study the relationship between the complexity class MIP, the
set of languages decidable by multiprover interactive proofs with quantumly
entangled provers, and the class PZKMIP, which is the set of languages
decidable by MIP protocols that furthermore possess the perfect zero
knowledge property.
Our main result is that the two classes are equal, i.e., MIP
PZKMIP. This result provides a quantum analogue of the celebrated result of
Ben-Or, Goldwasser, Kilian, and Wigderson (STOC 1988) who show that MIP
PZKMIP (in other words, all classical multiprover interactive protocols can be
made zero knowledge). We prove our result by showing that every MIP
protocol can be efficiently transformed into an equivalent zero knowledge
MIP protocol in a manner that preserves the completeness-soundness gap.
Combining our transformation with previous results by Slofstra (Forum of
Mathematics, Pi 2019) and Fitzsimons, Ji, Vidick and Yuen (STOC 2019), we
obtain the corollary that all co-recursively enumerable languages (which
include undecidable problems as well as all decidable problems) have zero
knowledge MIP protocols with vanishing promise gap
Rational Proofs with Multiple Provers
Interactive proofs (IP) model a world where a verifier delegates computation
to an untrustworthy prover, verifying the prover's claims before accepting
them. IP protocols have applications in areas such as verifiable computation
outsourcing, computation delegation, cloud computing. In these applications,
the verifier may pay the prover based on the quality of his work. Rational
interactive proofs (RIP), introduced by Azar and Micali (2012), are an
interactive-proof system with payments, in which the prover is rational rather
than untrustworthy---he may lie, but only to increase his payment. Rational
proofs leverage the provers' rationality to obtain simple and efficient
protocols. Azar and Micali show that RIP=IP(=PSAPCE). They leave the question
of whether multiple provers are more powerful than a single prover for rational
and classical proofs as an open problem.
In this paper, we introduce multi-prover rational interactive proofs (MRIP).
Here, a verifier cross-checks the provers' answers with each other and pays
them according to the messages exchanged. The provers are cooperative and
maximize their total expected payment if and only if the verifier learns the
correct answer to the problem. We further refine the model of MRIP to
incorporate utility gap, which is the loss in payment suffered by provers who
mislead the verifier to the wrong answer.
We define the class of MRIP protocols with constant, noticeable and
negligible utility gaps. We give tight characterization for all three MRIP
classes. We show that under standard complexity-theoretic assumptions, MRIP is
more powerful than both RIP and MIP ; and this is true even the utility gap is
required to be constant. Furthermore the full power of each MRIP class can be
achieved using only two provers and three rounds. (A preliminary version of
this paper appeared at ITCS 2016. This is the full version that contains new
results.)Comment: Proceedings of the 2016 ACM Conference on Innovations in Theoretical
Computer Science. ACM, 201
ROYALE: A Framework for Universally Composable Card Games with Financial Rewards and Penalties Enforcement
While many tailor made card game protocols are known, the vast majority of those suffer from three main issues: lack of mechanisms for distributing financial rewards and punishing cheaters, lack of composability guarantees and little flexibility, focusing on the specific game of poker. Even though folklore holds that poker protocols can be used to play any card game, this conjecture remains unproven and, in fact, does not hold for a number of protocols (including recent results). We both tackle the problem of constructing protocols for general card games and initiate a treatment of such protocols in the Universal Composability (UC) framework, introducing an ideal functionality that captures general card games constructed from a set of core card operations. Based on this formalism, we introduce Royale, the first UC-secure general card games which supports financial rewards/penalties enforcement. We remark that Royale also yields the first UC-secure poker protocol. Interestingly, Royale performs better than most previous works (that do not have composability guarantees), which we highlight through a detailed concrete complexity analysis and benchmarks from a prototype implementation
- …