The knowledge complexity of interactive proof-systems

TL;DR: Permission to copy without fee all or part of this material is granted provided that the copies arc not made or distributed for direct commercial advantage.

Abstract: Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian.In this paper a computational complexity theory of the “knowledge” contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

Summary

FOR to m

• END FOR SEND "terminate" (just a string to finish off the protocol) to B. B's PROTOCOL ON INPUT (x, y).
• SEND "okay" (just a string to continue the protocol) to A, END FOR GET any string from A, and halt accepting.
• Hence, the probability that B will say "convinced" is at most 1/2".
• THEOREM 1. The above (A, B) protocol is a perfectly zero-knowledge proof system for QR.

EXPERIMENT

• All one can say is that BITi+I is assigned the value bit+l=f(x,y, H, v, U+l), where f is some (0, 1}-valued function computable in deterministic, polynomial time.the authors.
• Having characterized the view with the above experiment, the authors will now describe a probabilistic Turing machine M that, given (x,y)QR and a string H, runs in expected polynomial time, and such that its output distribution M((x, y), H) is exactly the same as V, above; that is, M((x, y), H) is the same as VieWA,B, ((X, y), H).
• M begins by choosing r equals a random bit string (of the appropriate length).

END DO

• Two things about M's program must be clarified.
• Say that both V and VI have been given the value v; the authors wish to show that the above piece of program code halts in expected time polynomial in m, with the same output distribution as the above experiment, given that V Consider the body of the DO loop up to but not including the last test.
• Lastly, the authors can see from the equivalent body that in the case where the DO loop halts, WI+I gets assigned a random square root of ui/ or of (u/ly), depending on bit,/t, as required.
• More formally, the authors proceed to describe first the protocol for B and then the protocol for A.
• This will have a negligible effect on the result and the authors omit any further details on this point.

Stage 2.

• Prior to their work, the theory of knowledge had received much attention in a model-theoretic framework (see [FHV] and [HM] for discussion).
• Galil, Haber, and Yung [GHY] proposed the following extension of the concept of a zero-knowledge interactive proof systems.
• Finally, let us mention the recent result of Fortnow.

Full text

SIAM
J.
COMPUT.
Vol.
18,
No.
1,
pp.
186-208,
February
1989
(C)
1989
Society
for
Industrial
and
Applied
Mathematics
012
THE
KNOWLEDGE
COMPLEXITY
OF
INTERACTIVE
PROOF
SYSTEMS*
SHAFI
GOLDWASSER,
SILVIO
MICALI,
AND
CHARLES
RACKOFF$
Abstract.
Usually,
a
proof
of
a
theorem
contains
more
knowledge
than
the
mere
fact
that
the
theorem
is
true.
For
instance,
to
prove
that
a
graph
is
Hamiltonian
it
suffices
to
exhibit
a
Hamiltonian
tour
in
it;
however,
this
seems
to
contain
more
knowledge
than
the
single
bit
Hamiltonian/non-Hamiltonian.
In
this
paper
a
computational
complexity
theory
of
the
"knowledge"
contained
in
a
proof
is
developed.
Zero-knowledge
proofs
are
defined
as
those
proofs
that
convey
no
additional
knowledge
other
than
the
correctness
of
the
proposition
in
question.
Examples
of
zero-knowledge
proof
systems
are
given
for
the
languages
of
quadratic
residuosity
and
quadratic
nonresiduosity.
These
are
the
first
examples
of
zero-
knowledge
proofs
for
languages
not
known
to
be
efficiently
recognizable.
Key
words,
cryptography,
zero
knowledge,
interactive
proofs,
quadratic
residues
AMS(MOS)
subject
classifications.
68Q15,
94A60
1.
Introduction.
It
is
often
regarded
that
saying
a
language
L
is
in
NP
(that
is,
acceptable
in
nondeterministic
polynomial
time)
is
equivalent
to
saying
that
there
is
a
polynomial
time
"proof
system"
for
L.
The
proof
system
we
have
in
mind
is
one
where
on
input
x,
a
"prover"
creates
a
string
a,
and
the
"verifier"
then
computes
on
x
and
a
in
time
polynomial
in
the
length
of
the
binary
representation
of
x
to
check
that
x
is
indeed
in
L.
It
is
reasonable
to
ask
if
there
is
a
more
general,
and
perhaps
more
natural,
notion
of
a
polynomial
time
proof
system.
This
paper
proposes
one
such
notion.
We
will
still
allow
the
verifier
only
polynomial
time
and
the
prover
arbitrary
computing
power,
but
will
now
allow
both
parties
to
flip
unbiased
coins.
The
result
is
a
probabilistic
version
of
NP,
where
a
small
probability
of
error
is
allowed.
However,
to
obtain
what
appears
to
be
the
full
generality
of
this
idea,
we
must
also
allow
the
prover
and
verifier
to
interact
(i.e.,
to
talk
back
and
forth)
and
to
keep
secret
their
coin
tosses.
We
call
these
proof
systems
"interactive
proof
systems."
This
notion
is
formally
defined
in
2,
where
we
also
define
what
it
means
for
a
language
to
have
an
interactive
proof
system.
It
is
far
from
clear
how
to
use
this
power
of
interaction.
Languages
with
non-
deterministic
polynomial
time
algorithms
or
with
probabilistic
polynomial
time
algorithms
have
proof
systems
with
little
or
no
interaction.
We
would
therefore
like
examples
of
languages
that
appear
to
have
neither
nondeterministic
nor
probabilistic
polynomial
time
algorithms,
and.
yet
have
interactive
proof
systems.
Although
we
do
not
present
any
such
examples
here,
there
are
now
examples
in
the
literature.
Using
ideas
from
an
initial
version
of
this
paper
[GMR]
Goldreich,
Micali,
and
Wigderson
[GMW]
have
shown
that
the
"graph
nonisomorphism"
language
has
an
interactive
Received
by
the
editors
August
26,
1985;
accepted
for
publication
(in
revised
form)
April
18,
1988.
A
preliminary
version
of
this
paper
appeared
in
the
Proceedings
of
the
27th
Annual
IEEE
Symposium
on
Foundations
of
Computer
Science,
1986,
pp.
174-187.
Editor’s
Note.
This
paper
was
originally
scheduled
to
appear
in
the
February
1988
Special
Issue
on
Cryptography
(SIAM
J.
Comput.,
17
(1988)).
t
Laboratory
for
Computer
Science,
Massachusetts
Institute
of
Technology,
Cambridge,
Massachusetts
02139.
The
work
of
these
authors
was
supported
by
National
Science
Foundation
grants
DCR-84-13577
and
DCR-85-09905.
Computer
Science
Department,
University
of
Toronto,
Toronto,
ONT
M5S
1A4
Canada.
The
work
of
this
author
was
supported
by
the
Natural
Sciences
and
Engineering
Research
Council
of
Canada
under
grant
A3611.
186

INTERACTIVE
PROOF
SYSTEMS
187
proof
system.
Independently
of
this
paper,
Babai
and
Szemeredi
[BS]
show
that
certain
matrix
group
problems
have
what
they
call
"Arthur-Merlin"
proof
systems,
which
immediately
implies
that
they
have
interactive
proof
systems.
In
fact,
the
notion
of
an
Arthur-Merlin
proof
system
consists
of
a
restricted
interactive
proof
system
in
which
the
prover
sees
the
coin
flips
of
the
verifier.
Nevertheless,
Goldwasser
and
Sipser
[GS]
have
shown
that
a
language
has
an
interactive
proof
system
if
and
only
if
it
has
an
Arthur-Merlin
proof
system.
It
appears,
however,
that
our
notion
of
interactive
proof
systems
generalizes
in
the
right
way
to
attack
a
novel
problem.
The
main
purpose
of
this
current
paper,
in
fact,
is
to
use
interactive
proof
systems
to
investigate
a
natural
question;
how
much
knowledge
is
transmitted
to
the
verifier
in
an
interactive
proof
system
for
L?
For
example,
consider
SAT,
the
NP-complete
language
of
satisfiable
sentences
of
the
propositional
calculus.
In
the
obvious
proof
system,
to
prove
F
e
SAT,
the
prover
gives
a
satisfying
assignment
I
for
the
formula
F,
which
the
verifier
then
checks
in
polynomial
time.
This
assignment
gives
the
verifier
much
more
knowledge
than
merely
the
fact
that
F
e
SAT;
it
also
gives
a
satisfying
assignment.
At
the
other
extreme,
every
language
that
can
be
accepted
in
probabilistic
polynomial
time
has
a
proof
system
in
which
the
prover
does
nothing,
and
hence
gives
no
knowledge
to
the
verifier.
We
say
an
interactive
proof
system
for
L
is
zero-knowledge
if
for
each
x
e
L,
the
prover
tells
the
verifier
essentially
nothing,
other
than
that
x
e
L;
this
should
be
the
case
even
if
the
verifier
chooses
not
to
follow
the
proof
system
but
instead
tries
(in
polynomial
time)
to
trick
the
prover
into
revealing
something.
The
notion
of
zero-
knowledge
is
formally
defined
in
3.
This
definition
is
an
important
contribution
of
this
paper.
The
main
technical
contributions
of
this
paper
are
the
proofs
in
5
and
6
that
the
languages
QR
and
QNR
(defined
below)
both
have
zero-knowledge
interactive
proof
systems.
These
are
the
first
zero-knowledge
protocols
demonstrated
for
languages
not
known
to
be
recognizable
in
probabilistic
polynomial
time.
To
understand
the
languages
QR
and
QNR,
it
helps
to
read
the
(brief)
number
theory
background
given
in
4.
However,
for
now,
let
x,
y
be
integers,
0<
y
<x,
such
that
gcd
(x,
y)
1;
we
say
that
y
is
a
quadratic
residue
mod
x
if
y
z
2
mod
x
for
some
z;
if
not,
we
say
that
y
is
a
quadratic
nonresidue
mod
x.
We
define
QR=
{(x,
Y)IY
is
a
quadratic
residue
mod
x},
and
QNR=
{(x,
Y)IY
is
a
quadratic
nonresidue
mod
x}.
(Actually,
QNR
will
be
defined
slightly
differently
in
4.)
Both
QR
and
QNR
are
in
NP,
and
thus
possess
an
elementary
proof
system.
For
instance,
to
prove
membership
in
Q
NR,
the
prover
just
sends
x’s
factorization.
But
looking
ahead
to
zero-knowledge
proof
systems,
let
us
discuss
a
more
interesting
example
of
a
proof
system
for
QNR.
Example
1.
Let
us
call
the
prover
A
and
the
verifier
B.
Say
that
the
input
is
(x,
y).
Let
n
Ixl,
where
]xl
is
the
length
of
the
binary
representation
of
x.
We
will
now
describe
(omitting
some
details)
an
interactive
proof
system
for
Q
NR.
B
begins
by
flipping
coins
to
obtain
random
bits
bl,
b2,’"
",
b,.
B
then
flips
additional
coins
to
obtain
a
string
a,
from
which
B
computes
zl,
z2,.
,
zn
such
that
each
zi
is
a
random
z,
0<
z
<
x,
gcd
(x,
z)=
1.
B
then
computes
wl,
w,...,
wn
as
follows"
for
each
i,
if
2
bi=0thenw
zimodx;ifb
lthenw=(zy)
modx.
Bthensendsw,w2,
.,w,
to
A.
For
each
i,
A
computes
(somehow)
whether
or
not
wi
is
a
quadratic
residue
mod
x,
and
sends
B
a
sequence
of
bits
c,
c2,"
",
cn,
where
c
0
if
and
only
if
wi
is
a
quadratic
residue
mod
x.
B
checks
if
b
c
for
every
i,
and
if
so
is
"convinced"
that
(x,
y)
QNR.

188
S.
GOLDWASSER,
S.
MICALI,
AND
C.
RACKOFF
It
is
not
hard
to
see
that
if
(x,
y)
QNR
and
both
parties
follow
the
protocol,
then
B
will
become
"convinced."
On
the
other
hand,
if
y
is
a
quadratic
residue
mod
x,
then
so
is
each
wi,
and
every
value
for
wi
is
equally
likely;
since
A
does
not
see
the
sequence
{b},
the
probability
that
every
c
b
(and
hence
that
B
will
be
convinced)
is
2
-n.
So
this
is
an
interactive
proof
system
for
QNR.
Let
us
now
address
the
question
of
how
much
knowledge
A
may
release.
It
is
an
interesting
question
how
zero-knowledge
should
be
defined.
If
the
prover
is
trying
to
prove
to
the
verifier
that
y
is
a
quadratic
residue
mod
x,
then
certainly
the
verifier
should
not
be
able
to
trick
the
prover
into
revealing
a
square
root
of
y
mod
x,
or
the
factorization
of
x,
or
any
information
which
would
help
the
verifier
to
compute
these
things
much
faster
than
before.
In
fact,
the
prover
should
not
reveal
anything
which
would
help
the
verifier
compute
anything
much
faster
than
before.
The
way
to
state
this
formally
seems
to
be
that
what
the
verifier
sees
in
the
protocol
(even
if
he
cheats)
should
be
something
which
the
verifier
could
have
computed
for
himself,
merely
from
the
fact
that
(x,
y)
QNR.
Of
course,
what
the
verifier
sees
in
the
protocol
is
really
a
probability
distribution.
Thus,
zero-knowledge
means
that
one
can
compute
in
polynomial
time,
from
(x,
y)
QNR,
without
a
prover,
the
same
(or
almost
the
same)
probability
distribution
that
the
verifier
would
see
with
the
prover.
This
is
defined
formally
in
3.
Here,
let
us
informally
discuss
whether
the
above
interactive
proof
system
for
QNR
is
zero-knowledge.
Consider
a
pair
(x,
y)
QNR,
and
say
that
A
follows
the
protocol.
Can
B
obtain
any
additional
knowledge?
For
the
moment,
assume
that
B
follows
the
protocol.
B
"sees"
[{b},
a,
{wi},
{c}]
distributed
according
to
a
particular
distribution.
Without
any
help
from
a
prover,
we
can
quickly
generate
a
random
string
according
to
this
distribution:
just
choose
{b}
and
a
randomly,
and
then
compute
{w}
from
them;
then
compute
c
bi
for
each
i.
Now
what
if
B
were
to
cheat?
B
could
begin
by
setting
wl
42,
and
then
behave
correctly.
Consider
now
the
induced
distribution
on
[{bi},
c,
{wi},
{c}];
in
order
to
compute
a
random
member
of
it
(without
help
from
a
prover),
we
must
compute
whether
or
not
42
is
a
quadratic
residue
x,
given
x
and
a
quadratic
nonresidue
y.
At
this
time
it
is
not
known
how
to
compute
this
in
polynomial
time,
so
this
proof
system
may
not
be
zero-knowledge.
A
zero-knowledge
proof
system
for
QNR
is
given
in
6.
The
ideas
of
this
proof
system
partially
come
from
the
secret
exchanging
protocol
of
Luby,
Micali,
and
Rackoff
[LMR]
and
are
useful
there
as
well.
They
have
also
proved
useful
in
the
oblivious
transfer
protocol
of
Fischer,
Micali,
Rackoff,
and
Witenberg
[FMRW]
and
for
the
identification
scheme
of
Feige,
Fiat,
and
Shamir
[FFS].
These
ideas
have
also
helped
Goldreich,
Micali,
and
Wigderson
[GMW]
to
show
that
the
languages
of
"graph
isomorphism"
and
"graph
nonisomorphism"
have
zero-knowledge
interactive
proof
systems.
Although
we
find
the
idea
of
a
zero-knowledge
interactive
proof
system
fascinating
in
itself,
the
main
motivation
for
it
and
the
main
applications
of
it
are
in
the
area
of
cryptographic
protocols.
For
example,
in
the
secret
exchanging
protocol
in
[LMR],
one
person
wishes
to
exchange
a
secret
with
another
without
giving
away
any
additional
knowledge.
Ideas
similar
to
those here
must
be
used
to
even
define
this
concept.
More
generally,
however,
it
often
arises
at
some
point
in
a
protocol
that
A
wishes
to
convince
B
of
some
fact.
Say
that
we
know
that
the
protocol
would
be
secure
if
at
this
point
an
angel
or
someone
B
trusted
were
to
tell
B
(truthfully)
if
A
is
telling
the
truth.
We
want
the
notion
of
zero-knowledge
to
be
such
that
an
appropriate
zero-
knowledge
interactive
proof
system
could
be
inserted
at
this
point
instead
of
the
trusted

INTERACTIVE
PROOF
SYSTEMS
189
party,
and
the
whole
protocol
would
remain
secure.
(Of
course,
A
would
have
to
possess
some
additional
information
enabling
her
to
implement
the
part
of
the
prover
efficiently.)
In
particular
instances,
we
can
prove
that
such
substitution
works,
but
a
general
framework
for
discussing
protocols
must
exist
before
the
general
theorem
can
even
be
stated.
However,
based
on
intuition
and
experience,
the
authors
(and
many
others
who
have
studied
these
ideas
since
their
initial
appearance)
believe
that
the
definition
of
zero-knowledge
proposed
here
has
the
required
properties.
The
most
important
development
since
these
results
first
appeared
is
the
proof
by
Goldreich,
Micali,
and
Wigderson
[GMW]
that,
subject
to
a
common
complexity
theory
assumption,
every
language
in
NP
has
a
zero-knowledge
interactive
proof
system.
These
proof
systems
for
NP
languages
appear
to
have
applications
in
just
about
every
protocol
problem.
It
is
almost
certain
that
these
results
will
vastly
simplify
distributed
cryptographic
protocol
design
in
the
future,
as
demonstrated
by
the
powerful
results
of
[GMW2].
2.
Interactive
proof
systems.
Intuitively,
what
should
we
require
from
an
efficient
theorem-proving
procedure
?
(1)
That
it
should
be
possible
to
"prove"
a
true
theorem.
(2)
That
it
should
not
be
possible
to
"prove"
a
false
theorem.
(3)
That
communicating
the
"proof"
should
be
efficient.
Namely,
regardless
of
how
much
time
it
takes
to
come
up
with
the
proof,
its
correctness
should
be
efficiently
verified.
The
NP
formalization
of
the
concept
of
an
efficient
proof
system
captures
one
way
of
communicating
a
proof.
In
this
section,
we
will
generalize
the
NP
proof
system
to
capture
a
more
general
way
of
communicating
a
proof.
The
verifier
will
be
a
probabilistic
polynomial
time
(in
the
length
of
the
common
input)
machine
that
is
able
to
exchange
messages
(strings)
with
the
prover.
At
the
same
time
that
we
introduce
probability
into
the
proof
system,
we
relax
the
classical
notion
of
a
"proof."
Our
verifier
may
erroneously
be
convinced
of
the
truth
of
a
proposition
with
a
very
small
probability
of
error
(less
than
n
-k
for
each
positive
constant
k
and
all
sufficiently
large
input-sizes
n).
We
proceed
to
formally
define
the
new
system.
2.1.
Interactive
Turing
machines
and
protocols.
DEFINITION.
An
interactive
Turing
machine
(ITM)
is
a
Turing
machine
equipped
with
a
read-only
input
tape,
a
work
tape,
a
random
tape,
one
read-only
communication
tape,
and
one
write-only
communication
tape.
The
random
tape
contains
an
infinite
sequence
of
random
bits,
and
can
be
scanned
only
from
left
to
right.
We
say
that
an
interactive
machine
flips
a
coin,
meaning
that
it
reads
the
next
bit
in
its
own
random
tape.
[RANDO,
M
TAPE
[INPUT[
[RANDOM
TAPE
R
..R
R
R
FIG.
1.
An
interactive
protocol.
denotes
a
read
write
head,
R
a
read-only
head,
W
a
write-only
head.

190
S.
GOLDWASSER,
S.
MICALI,
AND
C.
RACKOFF
DEFINITION.
An
interactive
protocol
is
an
ordered
pair
of
ITM’s
A
and
B
such
that
A
and
B
share
the
same
input
tape,
B’s
write-only
communication
tape
is
A’s
read-only
communication
tape
and
vice
versa.
Machine
A
is
not
computationally
bounded,
while
machine
B’s
computation
time
is
bounded
by
a
polynomial
in
the
length
of
the
common
input.
The
two
machines
take
turns
in
being
active,
with
B
being
active
first.
During
an
active
stage
machine
A(B)
first
performs
some
internal
computa-
tion
using
its
input
tape,
work
tapes,
communication
tape
and
random
tape;
and,
second,
it
writes
a
string
(for
B(A))
on
its
write-only
communication
tape.
The
ith
message
of
A(B)
is
the
entire
string
that
A(B)
writes
on
its
communication
tape
during
its
ith
active
stage.
As
soon
as
machine
A(B)
writes
its
message,
it
is
deactivated
and
machine
B
(A)
becomes
active,
unless
the
protocol
has
been
terminated.
Either
machine
can
terminate
the
computation
of
the
protocol
by
not
sending
any
message
in
an
active
stage.
Machine
B
accepts
(or
rejects)
the
input
by
outputting
accept
(or
reject)
and
terminating
the
protocol.
The
computation
time
of
machine
B
is
the
sum
of
the
B’s
computation
time
during
its
active
stages,
and
it
is
this
time
that
is
bounded
by
a
polynomial
in
the
length
of
the
input,
denoted
Ix
I.
2.2.
Interactive
proof
systems.
DEFINITION.
Let
L
be
a
language
over
{0,
1)*.
Let
(A,
B)
be
an
interactive
protocol.
We
say
that
(A,
B)
is
an
interactive
proof
system
for
L
if
we
have
the
following:
(1)
For
each
k,
for
sufficiently
large
x
in
L
given
as
input
to
(A,
B),
B
halts
and
accepts
with
probability
at
least
1-Ix[
-k.
(The
probabilities
here
are
taken
over
the
coin
tosses
of
A
and
B.)
(2)
For
each
k,
for
sufficiently
large
x
not
in
L,
for
any
ITM
A’,
on
input
x
to
(A’,
B),
B
accepts
with
probability
at
most
Ix]
-k.
(The
probabilities
here
are
taken
over
the
coin
tosses
of
A’
and
B.)
Remark
1.
The
above
probability
of
error
can
be
decreased,
say
to
smaller
than
2
-Ixl,
by
the
standard
technique
of
repeating
the
protocol
many
times
and
choosing
to
accept
by
majority
vote.
We
now
argue
that
this
definition
captures
what
we
intuitively
want
from
an
efficient
proof
system.
Condition
(1)
essentially
says
that,
if
x
L,
B
will
accept
with
overwhelming
probability.
Condition
(2)
says
that,
if
x
is
not
in
L,
there
exists
no
strategy
that
succeeds
with
nonnegligible
probability
for
convincing
B
to
accept.
In
fact,
B
needs
not
to
trust
(or
know
the
program
of)
the
machine
with
which
it
is
interacting.
It
is
enough
for
B
to
trust
the
randomness
of
its
own
coin
tosses.
Similar
to
the
NP
proof
system,
note
that
the
definition
of
an
interactive
proof
system
for
a
language
emphasizes
the
"yes-instances":
when
a
string
is
in
the
language,
B
must
be
led
to
acceptance
with
high
probability,
but
when
a
string
is
not
in
the
language
A
is
not
required
to
convince
B
of
the
contrary.
A
more
general
version
of
the
above
definition
is
where
A
is
not
a
Turing
machine,
but
an
infinite
state
machine.
However
it
has
been
shown
by
Feldman
in
IF]
that
this
adds
no
extra
power
to
the
model.
In
fact,
he
shows
that
with
respect
to
language
recognition
it
is
sufficient
for
A
to
be
a
deterministic
PSPACE
machine.
The
fact
that
A
is
probabilistic
is
of
importance
to
the
more
subtle
definition
of
zero-knowledge,
which
is
given
in
the
next
section.
We
define
IP,
Interactive
Polynomial
time,
to
be
the
class
of
languages
for
which
there
exists
interactive
proof
systems.
The
first
examples
of
a
language
in
IP
but
not
known
to
be
in
NP
have
been
exhibited
by
Babai
and
Szemeredi
[BS].
Their
examples
are
"matrix
group
nonmembership"
and
"matrix
group
order,"
where
the
matrix
groups
over
finite
fields
are
represented
by
a
list
of
generator
matrices.
The
other,
more
well-known
example