This preview shows page 1. Sign up to view the full content.
Unformatted text preview: s a 1, she opens the solution she committed to in step (2) and proves that it is a solution to the new problem. (5) Peggy publishes all the commitments from step (2) as well as the solutions in step (4). (6) Victor or Carol or whoever else is interested, verifies that steps (1) through (5) were executed properly. This is amazing: Peggy can publish some data that contains no information about her secret, but can be used to convince anyone of the secret’s existence. The protocol can also be used for digital signature schemes, if the challenge is set as a one-way hash of both the initial messages and the message to be signed. This works because the one-way hash function acts as an unbiased random-bit generator. For Peggy to cheat, she has to be able to predict the output of the one-way hash function. (Remember, if she doesn’t know the solution to the hard problem, she can do either (a) or (b) of step (4), but not both.) If she somehow knew what the one-way hash function would ask her to do, then she could cheat. However, there is no way for Peggy to force the one-way function to produce certain bits or to guess which bits it will produce. The one-way function is, in effect, Victor’s surrogate in the protocol—randomly choosing one of two proofs in step (4). In a noninteractive protocol, there must be many more iterations of the challenge/reply sequence. Peggy, not Victor, picks the hard problems using random numbers. She can pick different problems, hence different commitment vectors, till the hash function produces something she likes. In an interactive protocol, 10 iterations—a probability of 1 in 210 (1 in 1024) that Peggy can cheat—may be fine. However, that’s not enough for noninteractive zero-knowledge proofs. Remember that Mallory can always do either (a) or (b) of step (4). He can try to guess which he will be asked to do, go through steps (1) through (3), and see if he guessed right. If he didn’t, he can try again—repeatedly. Making 1024 guesses is easy on a computer. To prevent this brute-force attack, noninteractive protocols need 64 iterations, or e...
View Full Document
- Fall '10