Add to collection(s) Add to saved
  1. No category

Problem Set 1 1

advertisement 
6.897: Selected Topics In Cryptography
Canetti
Problem Set 1
February 27, 2004
Due: March 12, 2004
1 Question 1: Equivalence of Zero-Knowledge arguments of knowl­
edge and protocols for realizing ���
Recall the definition of Zero-Knowledge Proofs of Knowledge (ZKPoK) protocols, as it appears on the slides
for lecture 3. Here we’re considering two-party protocols where one party (� , the prover) gets input �� �
and the other party (� , the verifier) gets no input. The notation � �� � � means (the random vari­
able describing) the outputs of � and � from an interaction where � runs on input � and � runs on in­
put � . � �� � � descrives the output of � , and � �� � � � described the output of � . (That is,
� �� � � � � �� � � � � �� � � � ).
Definition 1 Let �� be a binary relation. A protocol for �� � is a ZKPoK protocol for � if the following
holds:
Completeness: If � and � follow the protocol then � �� �� � �
probability.
� �� ��� � except with negligible
Soundness (PoK): For any “cheating prover � ” there exists an “extractor” � such that for all � we have
� � � �� � � � where �� � � �� � � � � � � � . Here “�” means “computationally
indistinguishable” as defined in class.
Zero-Knowledge: For any “cheating verifier” � there exists a “simulator” � such that for all inputs
�� �� � we have � �� ��� �� � � � �� �� � � � .
1.1 Relation to the standard notion of ZK
Show how to construct, given a protocol � that is ZKPoK for � as defined above, a protocol � � that is ZK
using the standard notion (i.e., where both parties are guaranteed to get the same public input �), without any
additional computational assumptions. For this purpose, you can you any standard definition of ZK (e.g. the
definitions in Oded Goldreich’s book).
1.2 Relation to the standard notion of PoK
Is the protocol � � constructed above a PoK using standard notions (say, the notion in Oded’s book)? If not,
how can the above notion of ZKPoK be changed so that � will become a PoK according to standard notions?
1.3 Equivalence with realizing ���
� denote the two party function � � �� �� �� � � �� �� ��� �� �.
Let � by a binary relation, and let � ��
��
� according to
Show that a protocol is a ZKPoK for � as defined here if and only if it securely evaluates � ��
the basic definition.
2 Question 2: Universal composition of arbitrary functionalities.
The universal composition theorem was proven in class only for the case where the ideal functionality is PPT.
Prove or disprove: The universal composition theorem holds for all ideal functionalities, even ones that are
not PPT.
1-1
Related documents
Document13469168 13469168
Document13469168 13469168
Memoryless Property
Memoryless Property
UNIVERSITY OF DUBLIN TRINITY COLLEGE
UNIVERSITY OF DUBLIN TRINITY COLLEGE
Massachusetts Institute of Technology
Massachusetts Institute of Technology
PROBLEM SET III “BY EDWARD NASHTON” f
PROBLEM SET III “BY EDWARD NASHTON” f
The Exponential Function
The Exponential Function
Questions for Reading Response #3
Questions for Reading Response #3
October 29, 2015 Meliksah University School of Economics and
October 29, 2015 Meliksah University School of Economics and
IEOR 151 – L 1 P R 1
IEOR 151 – L 1 P R 1
Document13546077 13546077
Document13546077 13546077
Agents, Actions and Goals in Dynamic Environments
Agents, Actions and Goals in Dynamic Environments
Cartesian Products and Relations Definition (Cartesian product) If A
Cartesian Products and Relations Definition (Cartesian product) If A
On Notions of Causality and Distributed Knowledge Ron van der Meyden
On Notions of Causality and Distributed Knowledge Ron van der Meyden
Download
advertisement