|
In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds 'convincing' a verifier that the prover knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself (as is the case for zero-knowledge proofs〔Shafi Goldwasser, Silvio Micali, and Charles Rackoff. (The knowledge complexity of interactive proof-systems ). ''Proceedings of 17th Symposium on the Theory of Computation'', Providence, Rhode Island. 1985. Draft. (Extended abstract )〕) a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by polynomial time bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some language in NP. Let be a language element of language in NP, and the set of witnesses for x that should be accepted in the proof. This allows us to define the following relation: . A proof of knowledge for relation with knowledge error is a two party protocol with a prover and a verifier with the following two properties: # Completeness: if , the prover P who knows witness for succeeds in convincing the verifier of his knowledge. More formally: # Validity: Validity requires that the success probability of a knowledge extractor in extracting the witness, given oracle access to a possibly malicious prover , must be at least as high as the success probability of the prover in convincing the verifier. This Property guarantees that no prover that doesn't know the witness can succeed in convincing the verifier. ==Details on the definition== This is a more rigorous definition of Validity:〔Mihir Bellare, Oded Goldreich: (On Defining Proofs of Knowledge ). CRYPTO 1992: 390–420〕 Let be a witness relation, the set of all witnesses for public value , and the knowledge error. A proof of knowledge is -valid if there exists a polynomial-time machine , given oracle access to , such that for every , it is the case that and The result signifies that the Turing machine did not come to a conclusion. The knowledge error denotes the probability that the verifier might accept , even though the prover does in fact not know a witness . The knowledge extractor is used to express what is meant by the knowledge of a Turing machine. If can extract from , we say that knows the value of . This definition of the validity property is a combination of the validity and strong validity properties in.〔 For small knowledge errors , such as e.g. or it can be seen as being stronger than the soundness of ordinary interactive proofs. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Proof of knowledge」の詳細全文を読む スポンサード リンク
|