Definition 2.6.1 (Perfect/Statistical/Computational Zero Knowledge). An interactive protocol (P, V ) is said to be perfect/statistical/computational zero-knowledge if for every probabilistic polynomial-time verifier V∗ there exists a probabilistic (ex-pected) polynomial-time simulator SV∗ so that the two ensembles
• {hP, V∗i(x)}x∈L
• {SV∗(x)}x∈L
are perfectly/statistically/computationally indistinguishable. Moreover, a protocol is simply said to be zero-knowledge if it is computational zero-knowledge.
An alternative, but equivalent, definition is to require the simulator S(·) to output V∗’s view viewVP∗(x) rather than V∗’s output. The view viewPV∗(x) consists of the en-tire sequence of the local configurations of the verifier during an interaction execution with the prover. That is, viewPV∗(x) = (x, r, trP,V∗(x)), where r is random bits of V∗. It suffices to consider only the content of the random bits of V∗ and the sequence of messages that V∗ has received from the prover during the execution because the entire sequence of local configurations and the final output are determined by those objects.
To prove that a protocol is zero-knowledge according to Definition 2.6.1, one would have to construct a simulator for every possible verifier. This is often done by constructing a universal simulator that works for all verifiers. In particular, the universal simulator SV∗ uses any verifier V∗ as a black box such that V∗ outputs V∗(q, r) for an input q (SV∗’s query) and random bits r. SV∗ does not try to dissect V∗ to see how V∗ works, but SV∗ can rewind V∗ to some previous execution state.
If an interactive proof system is proved zero-knowledge by treating V∗ as a black box in simulation, we call it black-box zero-knowledge. By black-box simulation, one often needs to allow probabilistic expected polynomial-time simulators (i.e., a Las Vegas algorithm) in order to have constant-round zero-knowledge arguments. Most of the known zero-knowledge protocols make use of the black-box techniques in their simulation. However, there are several negative results about the power of black-box simulators. Goldreich and Krawczyk show that obtaining black-black-box 3-round
zero knowledge proofs and constant-round Arthur-Merline zero-knowledge proofs is impossible [109]. Canetti, Kilian, Petrank, and Rosen show that no constant-round protocol is bounded concurrent zero-knowledge with a black-box simulator [41]. We remark that by the definition of zero-knowledge, the black-box simulation is not the only way to show the zero-knowledge property. Barak presents the first constructions of non-black-box simulators [7]. Using the new non-black-box techniques, he obtain several results that are previously proved to be impossible to obtain using the black-box simulators. See [7] for more details.
In many applications, the verifier interacting with the prover may have some ad-ditional a priori information z that may assist it in its attempts to extract knowledge from the prover. To model this concept, auxiliary-input zero knowledge is defined as follows [107]. The conditions are all the same as those for zero-knowledge except that the verifier and the simulator are allowed an extra input z the size of which is polynomially bounded in the size of x. The protocol is denoted by hP, V (z)i(x). If the basic protocol is auxiliary-input zero-knowledge, then sequential compositions can be shown to be zero-knowledge. However, a parallel composition of zero-knowledge protocols is in general no longer zero-knowledge. Furthermore, if a protocol is proved zero-knowledge with the black-box simulation techniques, it is also auxiliary-input zero-knowledge.
A slight weaker requirement than zero knowledge is honest-verifier zero-knowledge.
A verifier is honest if its messages to P are exactly its random bits. In complexity terms, we say that the verifier tosses public coins. Honest-verifier zero knowledge re-quires simulatability of the view of only the honest verifier, rather than simulatability of the view of any possible probability polynomial-time verifier.
Definition 2.6.2 (Honest-Verifier Zero Knowledge). An interactive protocol (P, V ) is said to be perfect/statistical/computational honest-verifier zero-knowledge, if there exists a probabilistic (expected) polynomial-time simulator SV so that the two ensembles
{hP, V i(x)}x∈L and {SV(x)}x∈L are perfectly/statistically/computationally indistinguishable.
In many interactive protocols, it is essential that the transcript of the interac-tion does not yield any evidence of the interacinterac-tion. Such protocols (e.g. undeniable
signatures [51] and deniable authentication [81, 83]) are said to be deniable. The standard definition of zero-knowledge in the plain model certainly satisfies deniabil-ity. However, this is no longer the case with the definitions of zero knowledge in the random oracle model [9]. This results from the fact that in the real world the public information in the random oracle model is fixed once and for all at start-up.
However, when proving security, the simulator in the random oracle model is allowed to choose this public information (e.g. the random functions) in any way it pleases as long as it “looks ok.” Thus even though there exists a simulator for a protocol, there is no guarantee that one can actually simulate a transcript using a certain predefined public information. For several settings in which zero knowledge and deniability are the goals, the standard definitions of zero knowledge in the random oracle model are not sufficient because they do not guarantee deniability. In the following we recall the definition of deniable zero knowledge in the random oracle model [178].
Definition 2.6.3 (Deniable Zero Knowledge). An interactive protocol (P, V ) is said to be deniable zero-knowledge in the random oracle (RO) model if for every prob-abilistic polynomial-time verifier V∗ there exists a probabilistic (expected) polynomial-time simulator SV∗ so that the following two ensembles are computationally indistin-guishable:
• {RO, hPRO, V∗ROi(x)}x∈L
• {RO, SVRO∗ (x)}x∈L,
where RO : {0, 1}poly(|x|) → {0, 1}poly(|x|) is a uniformly distributed random variable.
That is, for every probabilistic algorithm D running in time polynomial in the length of its first input, every polynomial P , all sufficiently long x ∈ L, it holds that
|P r[DRO(x, hPRO, V∗ROi(x)) = 1] − P r[DRO(x, SVRO∗(x)) = 1]| < 1 P (|x|), where RO : {0, 1}poly(|x|) → {0, 1}poly(|x|) is a uniformly distributed random variable.
We note that when proving security according to the standard zero-knowledge definition in the random oracle model, the simulator has two advantages over a plain model simulator, namely
1. The simulator can see what values parties query the oracle on.
2. The simulator can answer these queries in whatever way it chooses as long as the answers “look ok.”
An easy way of seeing this is by noting that non-interactive zero-knowledge proofs [15]
are possible in the random oracle model. A player receiving a non-interactive proof of an assertion can definitely do something new: it can simply send the same proof to someone else. This seems to contradict the zero-knowledge property. However, we note that the simulator for the non-interactive zero knowledge is much stronger in the random oracle model than in the plain model. In fact, the zero-knowledge property in the random oracle model only guarantees that the verifier will not be able to do anything new without referring to the random oracle.
The definition of deniable zero knowledge in the random oracle model restricts the power of the simulator and only allows it to see what values parties query the oracle on. This is due to the fact that in the definition of deniable zero knowledge in the random oracle model, the distinguisher is given access to the random oracle and can thus verify whether the simulator has answered the oracle queries in compliance with the predefined oracle.