Abstract
In a witness hiding protocol the prover tries to convince the verifier that he knows a witness to an instance of an \(\mathbf{NP}\) problem without revealing the witness. We propose a new look at witness hiding based on the information conveyed in each particular instance of the protocol.
We introduce the concept of individual witness hiding (IWH) and prove that zero-knowledge protocols for classical problems like \(\mathbb {HAM}\) are not IWH. On the other hand, we show that all \(\mathbf{FewP}\) problems have an IWH protocol. Finally, by introducing a Kolmogorov string commitment protocol we can show that all \(\mathbf{FewP}\) problems have an IWH protocol that is zero-knowledge relative to an oracle.
A. Teixeira—Work was funded by PEst-OE/EEI/LA0008/2013 of Instituto de Telecomunicações and LASIGE, ref. UID/CEC/00408/2013 and Confident project PTDC/EEI-CTP/4503/2014. A.T thanks the scholarship 6585/BPD B3-A/2018 within project “NanoSTIMA” ref. NORTE-01-0145-FEDER-000016 under PORTUGAL 2020 and ERDF. L.A acknowledges Digi-NewB project funded from the European Unions Horizon 2020 research and innovation programme under grant agreement No 689260.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Antunes, L., Matos, A., Pinto, A., Souto, A., Teixeira, A.: One-way function using algorithmic and classical information theories. ToCS 52, 162 (2013)
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: STOC, pp. 235–244 (2000)
Casal, F., Rasga, J., Souto, A.: Kolmogorov one-way functions revisited. Cryptogr. - MDPI 2, 9 (2018)
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of STOC. ACM (1990)
Goldreich, O.: Foundations of Cryptography. Cambridge University Press, Cambridge (2001)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38, 690–728 (1991)
Goldreich, O., Petrank, E.: Quantifying knowledge complexity. Comput. Complex. 8(1), 50–98 (1999)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of STOC. ACM (1985)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Kaplan, M., Laplante, S.: Kolmogorov complexity and combinatorial methods in communication complexity. In: Chen, J., Cooper, S.B. (eds.) TAMC 2009. LNCS, vol. 5532, pp. 261–270. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02017-9_29
Li, M., Vitányi, P.: An Introduction to Kolmogorov Complexity and Its Applications. TCS. Springer, New York (2008). https://doi.org/10.1007/978-0-387-49820-1
Mateus, P., Vaudenay, S.: On tamper-resistance from a theoretical viewpoint. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 411–428. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_29
Yehuda, R., Chor, B., Kushilevitz, E., Orlitsky, A.: Privacy, additional information and communication. IEEE Tran. Inf. Theo. 39(6), 1930–1943 (1993)
Stinson, D.: Cryptography: Theory and Practice. CRC Press, Boca Raton (1995)
Acknowledgements
A very special thank is due to S. Laplante for many discussions. We also would like to thank P. Vitányi, D. Ziao and A. Matos.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
6 Appendix
6 Appendix
We now provide the proof of Theorem 4.
Proof
The proof of perfect completeness is similar to the proof of the original protocol. Notice that, if \(\mathcal {P}\) is able to choose the strings \(z_j\) as in the Protocol, (for the existence of such string see below and Theorem 2) then since \((x,n)\in \mathbb {QR}\) and \(\mathcal {P}\) knows u such that \(u^2\equiv x \mod n\), it follows that the Prover is able to fulfill both challenges of \(\mathcal {V}\) and hence the probability of \(\mathcal {P}\) convincing \(\mathcal {V}\), is 1.
On the other hand, if \((x,n)\notin \mathbb {QR}\) then no matter what \(\mathcal {P}\) does, there is no possibility of \(\mathcal {P}\) to fulfill both challenges of \(\mathcal {V}\). In particular, the best we can do is to guess which challenge we will be given by \(\mathcal {V}\). The probability of guessing correctly the challenge and prepare the proper commitment for that challenge is 1/2. Hence, the probability of passing all the m rounds is \(2^{-m}\). Since m is logarithmic on |(x, n)|, then \(2^{-m}\) is a polynomial on |(x, n)|.
Now we observe that, at each round there are exponential many strings \(v_j\) that can be chosen.
Consider \(\ell = \log n\) and observe that \(|(x,n)|\le 2\ell \).
At round j, there were already revealed \(j-1\) strings. Then the tuple \(\langle z_1,...,z_{j-1}\rangle \) has polynomial size on \(\ell \) and hence by Theorem 2, for any constant d there are, at least, \(2^{\ell }-2^{\ell -e}\) strings \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(u_1,u_2,u_3,u_4|x,n,z_1,...,z_{j-1},v)\ge {\mathbf {K}}^t(u_1,u_2,u_3,u_4|x,n,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. Let A be the set of such strings. Since \(gcd(x,n)=1\) (otherwise the instance of \(\mathbb {QR}\) would be easy to solve), the function \(f_{u}(v)=u v\) is injective. Hence \(f_{u}(A)\) also has, at least, \(2^{\ell }-2^{\ell -e}\) elements. Therefore \(A\cap f_{u}(A)\) has, at least, \(2(2^{\ell }-2^{m-\ell })-2^m=2^{m}- 2^{m-\ell - 1 }\) elements.
Notice that every v in \(A\cap f_{u_1}(A)\) satisfies the requirements for round j since, in particular, we have \({\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1},v)\ge {\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1})- d'\) and \({\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1},uv)\ge {\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1})- d'\) for \(i=1...4\) and for some constant \(d'\) depending on d.
To complete the proof we only need to show that, at the end of the protocol, the amount of information that is leaked about the witnesses is logarithmic. Notice that, by the choices of v’s, in between rounds, there is only a constant number of bits of information that are leaked.
So, for all \(u_i=u_1,...,u_4\) we have
Next we provide the proof of Theorem 5.
Proof
Similarly to the proof presented for Protocol 2, the proof of perfect completeness follows from the fact that if \(\mathcal {P}\) is able to choose the permutations \(\pi \) as in the Protocol, (for the existence of such permutations see below and Theorem 2) then since \(H\in \mathbb {FHAM}\) and \(\mathcal {P}\) knows a Hamiltonian path, it follows that the Prover is able to fulfill both challenges of \(\mathcal {V}\) and hence the probability of \(\mathcal {P}\) convincing \(\mathcal {V}\), is 1.
On the other hand, if H is not Hamiltonian then no matter what \(\mathcal {P}\) does, there is no possibility of \(\mathcal {P}\) to fulfill both challenges of \(\mathcal {V}\). In particular, the best we can do is to guess which challenge we will be given by \(\mathcal {V}\). The probability of guessing correctly the challenge and prepare the proper commitment for that challenge is 1/2. Hence, the probability of passing all the m rounds is \(2^{-m}\). Since m is logarithmic on |H|, then \(2^{-m}\) is a polynomial on |H|.
Now we observe that, at each round there are exponentially many strings \(\pi \) that can be chosen. Notice that any permutation \(\pi \) can be described with \(n\log n\) bits where n is the number of vertices in H. Let \(\ell = n\log n\).
At round j, there were already revealed \(j-1\) strings, that either a cycle of a permutation. Then the tuple \(\langle z_1,...,z_{j-1}\rangle \) has polynomial size on \(\ell \) and hence by Theorem 2, for any constant d there are, at least, \(2^{\ell }-2^{\ell -e}\) permutations \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1},\pi )\ge {\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. On the other hand, since \(|\pi (c)|=\ell \), then there are also \(2^{\ell }-2^{\ell -e}\) permutations \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1},\pi (c))\ge {\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. Then, again there are \(2^\ell - 2^{\ell -e-1}\) possible permutations satisfying the conditions required in the protocol.
To complete the proof we have to show that the amount of information that leaked about the paths is only logarithmic. So, for every path \(c_i\) that is a cycle in G we have
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Souto, A., Antunes, L., Mateus, P., Teixeira, A. (2018). Witness Hiding Without Extractors or Simulators. In: Manea, F., Miller, R., Nowotka, D. (eds) Sailing Routes in the World of Computation. CiE 2018. Lecture Notes in Computer Science(), vol 10936. Springer, Cham. https://doi.org/10.1007/978-3-319-94418-0_40
Download citation
DOI: https://doi.org/10.1007/978-3-319-94418-0_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94417-3
Online ISBN: 978-3-319-94418-0
eBook Packages: Computer ScienceComputer Science (R0)