U.C. Berkeley — CS276: Cryptography
Commitment Schemes; ZK continued
Professors Luca Trevisan and David Wagner
3/14/02 – Scribe: Kenji Obata
Commitment Schemes; ZK continued
1
Zero Knowledge Protocol for 3Coloring
Last time, we saw the following zero knowledge protocol for proving graph 3colorability:
1. Prover randomly permutes the colors in his graph coloring. For each vertex
v
,h
e
sends to Veri±er a “lockbox” containing the color of
v
(the lockbox has the property
that Prover cannot modify its contents once sent, and Veri±er cannot see its contents,
without the lockbox key).
2. Veri±er randomly selects an edge (
u, v
)
∈
E
and sends this to Prover.
3. Prover checks that (
u, v
)
∈
E
and sends the lockbox keys for vertices
u
and
v
to
Veri±er.
4. Veri±er uses the keys to unlock boxes
u
and
v
and checks that the colors inside are
indeed distinct.
For this to be a valid proof system for 3colorability, we need to establish:
Completeness:
Obvious.
Soundness:
Suppose that Prover attempts to prove 3colorability for a non3colorable
graph
G
. Then there exists at least one edge (
u, v
)
∈
E
such that
u
and
v
have the same
color. Veri±er will select such an edge with probability at least 1
/m
in step 2 and therefore
detect the violation in step 4. By iterating the protocol, say,
km
times, Veri±er can achieve
a soundness probability
≈
1
/e
k
.
To (informally) establish zero knowledge, we de±ne a simulator as follows: Simulator
simply guesses the edge (
u, v
) which the veri±er will ask in step 2. In step 1, Simulator
sends all empty boxes for vertices
i
6
=
u, v
, and sends two random distinct colors in the boxes
for
u
and
v
. If Veri±er happens to ask for (
u, v
)ins
tep2
,thenthere
su
l
t
ingin
te
rac
t
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentCommitment Schemes; ZK continued
2
2
Commitment Schemes
Informally, a
bit commitment scheme
is a twoparty protocol in which Alice is able to send
the digital equivalent of a lockbox containing an input
b
∈{
0
,
1
}
to Bob. At the end of
the Frst,
commitment phase
of the protocol, a particular value of
b
is Fxed and Alice and
Bob have interacted in such a way that Bob has little or no information about the value
of
b
(the
hiding property
). In the second,
disclose phase
of the protocol, the value of
b
is
revealed to Bob. ±urthermore, Bob is able to detect whether the value of
b
revealed to him
is the same value to which Alice committed in the commitment phase of the protocol (the
binding property
).
Some examples of bit commitment schemes:
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '02
 Trevisan
 Cryptography, Commitment scheme, Alice, Zeroknowledge proof, commitment schemes

Click to edit the document details