Witness Hiding Without Extractors or Simulators

Abstract

In a witness hiding protocol the prover tries to convince the verifier that he knows a witness to an instance of an \(\mathbf{NP}\) problem without revealing the witness. We propose a new look at witness hiding based on the information conveyed in each particular instance of the protocol.

We introduce the concept of individual witness hiding (IWH) and prove that zero-knowledge protocols for classical problems like \(\mathbb {HAM}\) are not IWH. On the other hand, we show that all \(\mathbf{FewP}\) problems have an IWH protocol. Finally, by introducing a Kolmogorov string commitment protocol we can show that all \(\mathbf{FewP}\) problems have an IWH protocol that is zero-knowledge relative to an oracle.

A. Teixeira—Work was funded by PEst-OE/EEI/LA0008/2013 of Instituto de Telecomunicações and LASIGE, ref. UID/CEC/00408/2013 and Confident project PTDC/EEI-CTP/4503/2014. A.T thanks the scholarship 6585/BPD B3-A/2018 within project “NanoSTIMA” ref. NORTE-01-0145-FEDER-000016 under PORTUGAL 2020 and ERDF. L.A acknowledges Digi-NewB project funded from the European Unions Horizon 2020 research and innovation programme under grant agreement No 689260.

6 Appendix

We now provide the proof of Theorem 4.

Proof

The proof of perfect completeness is similar to the proof of the original protocol. Notice that, if \(\mathcal {P}\) is able to choose the strings \(z_j\) as in the Protocol, (for the existence of such string see below and Theorem 2) then since \((x,n)\in \mathbb {QR}\) and \(\mathcal {P}\) knows u such that \(u^2\equiv x \mod n\), it follows that the Prover is able to fulfill both challenges of \(\mathcal {V}\) and hence the probability of \(\mathcal {P}\) convincing \(\mathcal {V}\), is 1.

On the other hand, if \((x,n)\notin \mathbb {QR}\) then no matter what \(\mathcal {P}\) does, there is no possibility of \(\mathcal {P}\) to fulfill both challenges of \(\mathcal {V}\). In particular, the best we can do is to guess which challenge we will be given by \(\mathcal {V}\). The probability of guessing correctly the challenge and prepare the proper commitment for that challenge is 1/2. Hence, the probability of passing all the m rounds is \(2^{-m}\). Since m is logarithmic on |(x, n)|, then \(2^{-m}\) is a polynomial on |(x, n)|.

Now we observe that, at each round there are exponential many strings \(v_j\) that can be chosen.

Consider \(\ell = \log n\) and observe that \(|(x,n)|\le 2\ell \).

At round j, there were already revealed \(j-1\) strings. Then the tuple \(\langle z_1,...,z_{j-1}\rangle \) has polynomial size on \(\ell \) and hence by Theorem 2, for any constant d there are, at least, \(2^{\ell }-2^{\ell -e}\) strings \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(u_1,u_2,u_3,u_4|x,n,z_1,...,z_{j-1},v)\ge {\mathbf {K}}^t(u_1,u_2,u_3,u_4|x,n,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. Let A be the set of such strings. Since \(gcd(x,n)=1\) (otherwise the instance of \(\mathbb {QR}\) would be easy to solve), the function \(f_{u}(v)=u v\) is injective. Hence \(f_{u}(A)\) also has, at least, \(2^{\ell }-2^{\ell -e}\) elements. Therefore \(A\cap f_{u}(A)\) has, at least, \(2(2^{\ell }-2^{m-\ell })-2^m=2^{m}- 2^{m-\ell - 1 }\) elements.

Notice that every v in \(A\cap f_{u_1}(A)\) satisfies the requirements for round j since, in particular, we have \({\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1},v)\ge {\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1})- d'\) and \({\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1},uv)\ge {\mathbf {K}}^t(u_i|x,n,z_1,...,z_{j-1})- d'\) for \(i=1...4\) and for some constant \(d'\) depending on d.

To complete the proof we only need to show that, at the end of the protocol, the amount of information that is leaked about the witnesses is logarithmic. Notice that, by the choices of v’s, in between rounds, there is only a constant number of bits of information that are leaked.

So, for all \(u_i=u_1,...,u_4\) we have

$$ \begin{array}{rcl} {\mathbf {KC}}_{\mathcal {P},\mathcal {V}}^t(u_i;(x,n)) &{}=&{}\displaystyle {\max _{c\in C}\big ({\mathbf {K}}^t(u_i|x,n)-{\mathbf {K}}^t(u|x,n,c_{\mathcal {P}\mathcal {V}})\big )}\\ &{}=&{} {\mathbf {K}}^t(u_i|x,n)-{\mathbf {K}}^t(u_i|x,n,z_1,...,z_m)\\ &{}\le &{} {\mathbf {K}}^t(u_i|x,n)- {\mathbf {K}}^t(u_i|x,n,z_1,...,z_{m-2}) + d_m + d_{m-1}\\ &{}\le &{} {\mathbf {K}}^t(u_i|x,n)- {\mathbf {K}}^t(u_i|x,n) + d_m + d_{m-1}+ ... + d_1\\ &{}\le &{} d'\times m = d' \times c \log |(x,n)| \le O(\log n) \end{array} $$

Next we provide the proof of Theorem 5.

Proof

Similarly to the proof presented for Protocol 2, the proof of perfect completeness follows from the fact that if \(\mathcal {P}\) is able to choose the permutations \(\pi \) as in the Protocol, (for the existence of such permutations see below and Theorem 2) then since \(H\in \mathbb {FHAM}\) and \(\mathcal {P}\) knows a Hamiltonian path, it follows that the Prover is able to fulfill both challenges of \(\mathcal {V}\) and hence the probability of \(\mathcal {P}\) convincing \(\mathcal {V}\), is 1.

On the other hand, if H is not Hamiltonian then no matter what \(\mathcal {P}\) does, there is no possibility of \(\mathcal {P}\) to fulfill both challenges of \(\mathcal {V}\). In particular, the best we can do is to guess which challenge we will be given by \(\mathcal {V}\). The probability of guessing correctly the challenge and prepare the proper commitment for that challenge is 1/2. Hence, the probability of passing all the m rounds is \(2^{-m}\). Since m is logarithmic on |H|, then \(2^{-m}\) is a polynomial on |H|.

Now we observe that, at each round there are exponentially many strings \(\pi \) that can be chosen. Notice that any permutation \(\pi \) can be described with \(n\log n\) bits where n is the number of vertices in H. Let \(\ell = n\log n\).

At round j, there were already revealed \(j-1\) strings, that either a cycle of a permutation. Then the tuple \(\langle z_1,...,z_{j-1}\rangle \) has polynomial size on \(\ell \) and hence by Theorem 2, for any constant d there are, at least, \(2^{\ell }-2^{\ell -e}\) permutations \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1},\pi )\ge {\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. On the other hand, since \(|\pi (c)|=\ell \), then there are also \(2^{\ell }-2^{\ell -e}\) permutations \(v\in \varSigma ^{\ell }\) such that \({\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1},\pi (c))\ge {\mathbf {K}}^t(\langle c_1,...,c_j\rangle |H,z_1,...,z_{j-1})-d\) for some constant e sufficiently large. Then, again there are \(2^\ell - 2^{\ell -e-1}\) possible permutations satisfying the conditions required in the protocol.

To complete the proof we have to show that the amount of information that leaked about the paths is only logarithmic. So, for every path \(c_i\) that is a cycle in G we have

$$ \begin{array}{rcl} {\mathbf {KC}}_{\mathcal {P},\mathcal {V}}^t(H,c_i) &{}=&{} \displaystyle {\max _{c\in C}\big ({\mathbf {K}}^t(c_i|H)-{\mathbf {K}}^t(c_i|H,c_{\mathcal {P}\mathcal {V}})\big )}\\ &{}\le &{} {\mathbf {K}}^t(c_i|H)- {\mathbf {K}}^t(c_i|H,z_1,...,z_{m-1}) + d_m\\ &{}\le &{} {\mathbf {K}}^t(c_i|H)- {\mathbf {K}}^t(c_i|H) + d_m + d_{m-1}+ ... + d_1\\ &{}\le &{} d'\times m = d' \times c \log |H| \le O(\log n) \end{array} $$