|Previous||Table of Contents||Next|
An example might go a long way to explain this concept; this one comes from graph theory [619,622]. A graph is a network of lines connecting different points. If two graphs are identical except for the names of the points, they are called isomorphic. For an extremely large graph, finding whether two graphs are isomorphic can take centuries of computer time; its one of those NP-complete problems discussed in Section 11.1.
Assume that Peggy knows the isomorphism between the two graphs, G1 and G2. The following protocol will convince Victor of Peggys knowledge:
If Peggy does not know an isomorphism between G1 and G2, she cannot create graph H which is isomorphic to both. She can create a graph that is either isomorphic to G1 or one that is isomorphic to G2. Like the previous example, she has only a 50 percent chance of guessing which proof Victor will ask her to perform in step (3).
This protocol doesnt give Victor any useful information to aid him in figuring out an isomorphism between G1 and G2. Because Peggy generates a new graph H for each round of the protocol, he can get no information no matter how many rounds they go through the protocol. He wont be able to figure out an isomorphism between G1 and G2 from Peggys answers.
In each round, Victor receives a new random permutation of H, along with an isomorphism between H and either G1 or G2. Victor could just as well have generated this by himself. Because Victor can create a simulation of the protocol, it can be proven to be zero-knowledge.
A variant of this example was first presented by Manuel Blum . Peggy knows a circular, continuous path along the lines of a graph that passes through each point exactly once. This is called a Hamiltonian cycle. Finding a Hamiltonian cycle is another hard problem. Peggy has this piece of informationshe probably got it by creating the graph with a certain Hamiltonian cycleand this is what she wants to convince Victor that she knows.
Peggy knows the Hamiltonian cycle of a graph, G. Victor knows G, but not the Hamiltonian cycle. Peggy wants to prove to Victor that she knows this Hamiltonian cycle without revealing it. This is how she does it:
If Peggy is honest, she can provide either proof in step (4) to Victor. However, if she does not know a Hamiltonian cycle for G, she cannot create an encrypted graph H´ which can meet both challenges. The best she can do is to create a graph that is either isomorphic to G or one that has the same number of points and lines and a valid Hamiltonian cycle. While she has a 50 percent chance of guessing which proof Victor will ask her to perform in step (3), Victor can repeat the protocol enough times to convince himself that Peggy knows a Hamiltonian cycle for G.
Parallel Zero-Knowledge Proofs
The basic zero-knowledge protocol involves n exchanges between Peggy and Victor. Why not do them all in parallel:
Unfortunately, its not that simple. This protocol does not have the same zero-knowledge properties as the previous protocol. In step (4), Victor can choose the challenges as a one-way hash of all the values committed to in the second step, thus making the transcript nonsimulatable. It is still zero-knowledge, but of a different sort. It seems to be secure in practice, but no one knows how to prove it. We do know that in certain circumstances, certain protocols for certain problems can be run in parallel while retaining their zero-knowledge property [247,106,546,616].
|Previous||Table of Contents||Next|