0
$\begingroup$

I still do not understand the security model when proving the zero-knowledge property.

Take the Sigma protocol as an example:

In the book Proofs, Arguments, and Zero-Knowledge (Section 12.2.1), the definition of the Honest Verifier Perfect Zero-Knowledge property is as follows:

the distribution over transcripts output by the simulator is identical to the distribution over transcripts produced by the honest verifier in the $\sum$ protocol produced by the honest verifier in the $\sum$ protocol interacting with the honest prover.

My confusion is that, to output a valid proof without the witness, the simulator firstly needs to select challenge $e$, sample $z$ (response), and finally compute the corresponding first commitment message $a$. The order of the message has changed.

Does the order of the message matter? I already asked a similar question in Why is the definition of Special-honest verifier zero-knowledge probabilistic?. However, that question focuses on the completeness property.

Improve this question
$\endgroup$
1
  • $\begingroup$ There was an attempt to edit this question by an anonymous user. Thanks for trying to improve the question, but I think that replacing the large sigma with a smaller one is not something we want into our review que; please do not bother with such minor edits until the edit privilege has been awarded to you. $\endgroup$ Commented Nov 18 at 15:54

1 Answer 1

Reset to default
0
$\begingroup$

To understand this, consider what the definition of (perfect) zero-knowledge (or in this case perfect honest verifier zero-knowledge (HVZK) is supposed to model.

The idea is that

Any information the verifier might know after interacting with the prover is information they already knew, without interacting with the prover at all.

Now the question for HVZK is, what information can an honest verifier possibly learn from interacting with the prover? The answer is that the only additional information the honest verifier possesses after interacting with the prover is a transcript of an honest execution of the protocol.

So if the verifier can sample the same (as in distributed identically) transcript by themselves without ever interacting with the prover, that means whatever information they might have extracted from their (honest) interaction with the prover, they can just as easily extract from the simulated transcript. It does not matter how the transcript is sampled, as long as the final distribution is the same.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.