Mar 14 notes

A Concrete Introduction to Higher Algebra, 2nd Edition

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
U.C. Berkeley — CS276: Cryptography Commitment Schemes; ZK continued Professors Luca Trevisan and David Wagner 3/14/02 – Scribe: Kenji Obata Commitment Schemes; ZK continued 1 Zero Knowledge Protocol for 3-Coloring Last time, we saw the following zero knowledge protocol for proving graph 3-colorability: 1. Prover randomly permutes the colors in his graph coloring. For each vertex v ,h e sends to Veri±er a “lockbox” containing the color of v (the lockbox has the property that Prover cannot modify its contents once sent, and Veri±er cannot see its contents, without the lockbox key). 2. Veri±er randomly selects an edge ( u, v ) E and sends this to Prover. 3. Prover checks that ( u, v ) E and sends the lockbox keys for vertices u and v to Veri±er. 4. Veri±er uses the keys to unlock boxes u and v and checks that the colors inside are indeed distinct. For this to be a valid proof system for 3-colorability, we need to establish: Completeness: Obvious. Soundness: Suppose that Prover attempts to prove 3-colorability for a non-3-colorable graph G . Then there exists at least one edge ( u, v ) E such that u and v have the same color. Veri±er will select such an edge with probability at least 1 /m in step 2 and therefore detect the violation in step 4. By iterating the protocol, say, km times, Veri±er can achieve a soundness probability 1 /e k . To (informally) establish zero knowledge, we de±ne a simulator as follows: Simulator simply guesses the edge ( u, v ) which the veri±er will ask in step 2. In step 1, Simulator sends all empty boxes for vertices i 6 = u, v , and sends two random distinct colors in the boxes for u and v . If Veri±er happens to ask for ( u, v )ins tep2 ,thenthere su l t ingin te rac t
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Commitment Schemes; ZK continued 2 2 Commitment Schemes Informally, a bit commitment scheme is a two-party protocol in which Alice is able to send the digital equivalent of a lockbox containing an input b ∈{ 0 , 1 } to Bob. At the end of the Frst, commitment phase of the protocol, a particular value of b is Fxed and Alice and Bob have interacted in such a way that Bob has little or no information about the value of b (the hiding property ). In the second, disclose phase of the protocol, the value of b is revealed to Bob. ±urthermore, Bob is able to detect whether the value of b revealed to him is the same value to which Alice committed in the commitment phase of the protocol (the binding property ). Some examples of bit commitment schemes:
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 5

Mar 14 notes - U.C Berkeley CS276 Cryptography Professors...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online