In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds in 'convincing' a verifier that the prover knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself (as is the case for zero-knowledge proofs[1]) a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by polynomial time bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some language in NP.
Let
x
L
W(x)
R=\{(x,w):x\inL,w\inW(x)\}
A proof of knowledge for relation
R
\kappa
P
V
(x,w)\inR
P
w
x
V
\Pr(P(x,w)\leftrightarrowV(x) → 1)=1
E
\tildeP
\tildeP
This is a more rigorous definition of Validity:[2]
Let
R
W(x)
x
\kappa
\kappa
E
\tildeP
\tildeP
E\tilde(x)\inW(x)\cup\{\bot\}
\Pr(E\tilde(x)\inW(x))\geq\Pr(\tildeP(x)\leftrightarrowV(x) → 1)-\kappa(x).
The result
\bot
E
The knowledge error
\kappa(x)
V
x
w
E
E
w
\tildeP
\tildeP
w
This definition of the validity property is a combination of the validity and strong validity properties.[2] For small knowledge errors
\kappa(x)
2-80
1/poly(|x|)
In order to define a specific proof of knowledge, one need not only define the language, but also the witnesses the verifier should know. In some cases proving membership in a language may be easy, while computing a specific witness may be hard. This is best explained using an example:
Let
\langleg\rangle
g
L=\{x\midgw=x\}
x
\langleg\rangle
w
gw=x
Gq
q
g
In order to prove knowledge of
x=loggy
r
t=gr
c
c
s=r+cx
The verifier accepts, if
gs=tyc
We can see this is a valid proof of knowledge because it has an extractor that works as follows:
t=gr
Q
c1
s1=r+c1x
Q
c2
s2=r+c2x
(s1-s2)(c1-c
| -1 | |
| 2) |
Since
(s1-s2)=(r+c1x)-(r+c2x)=x(c1-c2)
x
This protocol happens to be zero-knowledge, though that property is not required for a proof of knowledge.
Protocols which have the above three-move structure (commitment, challenge and response) are called sigma protocols.[4] The naming originates from Sig, referring to the zig-zag symbolizing the three moves of the protocol, and MA, an abbreviation of "Merlin-Arthur".[5] Sigma protocols exist for proving various statements, such as those pertaining to discrete logarithms. Using these proofs, the prover can not only prove the knowledge of the discrete logarithm, but also that the discrete logarithm is of a specific form. For instance, it is possible to prove that two logarithms of
y1
y2
g1
g2
Zq
x1
x2
y1=
| x1 | |
| g | |
| 1 |
\landy2=g
| x2 | |
| 2 |
x2=ax1+b
x2
x1
y1=
| x | |
| g | |
| 1 |
\landy2={(g
| a)} | |
| 2 |
x
| b | |
| g | |
| 2 |
This is the intuition behind the following notation,[6] which is commonly used to express what exactly is proven by a proof of knowledge.
PK\{(x):y1=
| x | |
| g | |
| 1 |
\landy2={(g
| a)} | |
| 2 |
x
| b | |
| g | |
| 2 |
\},
states that the prover knows an x that fulfills the relation above.
Proofs of knowledge are useful tool for the construction of identification protocols, and in their non-interactive variant, signature schemes. Such schemes are:
They are also used in the construction of group signature and anonymous digital credential systems.