Zero Knowledge and Computational Indistinguishability
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
Having some trouble understanding the following line:
âÂÂAlice conveys zero knowledge to Bob if Bob can sample
from a distribution of messages that is computationally indistinguishable
from the distribution of messages that Alice would
send.âÂÂ
From Page 122, https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf
Could someone give a practical example of this sentence?
zero-knowledge-proofs
add a comment |Â
up vote
2
down vote
favorite
Having some trouble understanding the following line:
âÂÂAlice conveys zero knowledge to Bob if Bob can sample
from a distribution of messages that is computationally indistinguishable
from the distribution of messages that Alice would
send.âÂÂ
From Page 122, https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf
Could someone give a practical example of this sentence?
zero-knowledge-proofs
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
Having some trouble understanding the following line:
âÂÂAlice conveys zero knowledge to Bob if Bob can sample
from a distribution of messages that is computationally indistinguishable
from the distribution of messages that Alice would
send.âÂÂ
From Page 122, https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf
Could someone give a practical example of this sentence?
zero-knowledge-proofs
Having some trouble understanding the following line:
âÂÂAlice conveys zero knowledge to Bob if Bob can sample
from a distribution of messages that is computationally indistinguishable
from the distribution of messages that Alice would
send.âÂÂ
From Page 122, https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf
Could someone give a practical example of this sentence?
zero-knowledge-proofs
zero-knowledge-proofs
asked 1 hour ago
Kek
233
233
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Suppose in some protocol Alice is supposed to send an encryption of her special secret $s$ under a public key $pk$. She is sampling from the distribution of encryptions of $s$.
Bob can choose a random plaintext $r$ and encrypt it under $pk$. He is sampling from the distribution of encryptions of random plaintexts.
Even though Bob doesn't know Alice's special secret $s$, these two distributions are computationally indistinguishable (that's the basic definition of security for the encryption scheme). So this message (Alice's encryption of $s$) is zero-knowledge.
In a real example, you would have to simulate the entire exchange of all messages (called the transcript). It doesn't really work to simulate just one at a time, you have to capture correlations along messages if there are many rounds in the protocol.
Imagine Alice wants to prove to Bob that she is a good archer. The protocol to convince him is for Bob to paint a target on the wall, then Alice will fire an arrow into the bullseye. The "transcript" (the information that Bob leaves with) is a target painted on a wall with an arrow in the bullseye.
But Bob can generate the same distribution of transcripts without Alice's help! He can just put an arrow into the wall first and then paint a target around it. Hence, the protocol is "zero-knowledge."
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Suppose in some protocol Alice is supposed to send an encryption of her special secret $s$ under a public key $pk$. She is sampling from the distribution of encryptions of $s$.
Bob can choose a random plaintext $r$ and encrypt it under $pk$. He is sampling from the distribution of encryptions of random plaintexts.
Even though Bob doesn't know Alice's special secret $s$, these two distributions are computationally indistinguishable (that's the basic definition of security for the encryption scheme). So this message (Alice's encryption of $s$) is zero-knowledge.
In a real example, you would have to simulate the entire exchange of all messages (called the transcript). It doesn't really work to simulate just one at a time, you have to capture correlations along messages if there are many rounds in the protocol.
Imagine Alice wants to prove to Bob that she is a good archer. The protocol to convince him is for Bob to paint a target on the wall, then Alice will fire an arrow into the bullseye. The "transcript" (the information that Bob leaves with) is a target painted on a wall with an arrow in the bullseye.
But Bob can generate the same distribution of transcripts without Alice's help! He can just put an arrow into the wall first and then paint a target around it. Hence, the protocol is "zero-knowledge."
add a comment |Â
up vote
2
down vote
accepted
Suppose in some protocol Alice is supposed to send an encryption of her special secret $s$ under a public key $pk$. She is sampling from the distribution of encryptions of $s$.
Bob can choose a random plaintext $r$ and encrypt it under $pk$. He is sampling from the distribution of encryptions of random plaintexts.
Even though Bob doesn't know Alice's special secret $s$, these two distributions are computationally indistinguishable (that's the basic definition of security for the encryption scheme). So this message (Alice's encryption of $s$) is zero-knowledge.
In a real example, you would have to simulate the entire exchange of all messages (called the transcript). It doesn't really work to simulate just one at a time, you have to capture correlations along messages if there are many rounds in the protocol.
Imagine Alice wants to prove to Bob that she is a good archer. The protocol to convince him is for Bob to paint a target on the wall, then Alice will fire an arrow into the bullseye. The "transcript" (the information that Bob leaves with) is a target painted on a wall with an arrow in the bullseye.
But Bob can generate the same distribution of transcripts without Alice's help! He can just put an arrow into the wall first and then paint a target around it. Hence, the protocol is "zero-knowledge."
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Suppose in some protocol Alice is supposed to send an encryption of her special secret $s$ under a public key $pk$. She is sampling from the distribution of encryptions of $s$.
Bob can choose a random plaintext $r$ and encrypt it under $pk$. He is sampling from the distribution of encryptions of random plaintexts.
Even though Bob doesn't know Alice's special secret $s$, these two distributions are computationally indistinguishable (that's the basic definition of security for the encryption scheme). So this message (Alice's encryption of $s$) is zero-knowledge.
In a real example, you would have to simulate the entire exchange of all messages (called the transcript). It doesn't really work to simulate just one at a time, you have to capture correlations along messages if there are many rounds in the protocol.
Imagine Alice wants to prove to Bob that she is a good archer. The protocol to convince him is for Bob to paint a target on the wall, then Alice will fire an arrow into the bullseye. The "transcript" (the information that Bob leaves with) is a target painted on a wall with an arrow in the bullseye.
But Bob can generate the same distribution of transcripts without Alice's help! He can just put an arrow into the wall first and then paint a target around it. Hence, the protocol is "zero-knowledge."
Suppose in some protocol Alice is supposed to send an encryption of her special secret $s$ under a public key $pk$. She is sampling from the distribution of encryptions of $s$.
Bob can choose a random plaintext $r$ and encrypt it under $pk$. He is sampling from the distribution of encryptions of random plaintexts.
Even though Bob doesn't know Alice's special secret $s$, these two distributions are computationally indistinguishable (that's the basic definition of security for the encryption scheme). So this message (Alice's encryption of $s$) is zero-knowledge.
In a real example, you would have to simulate the entire exchange of all messages (called the transcript). It doesn't really work to simulate just one at a time, you have to capture correlations along messages if there are many rounds in the protocol.
Imagine Alice wants to prove to Bob that she is a good archer. The protocol to convince him is for Bob to paint a target on the wall, then Alice will fire an arrow into the bullseye. The "transcript" (the information that Bob leaves with) is a target painted on a wall with an arrow in the bullseye.
But Bob can generate the same distribution of transcripts without Alice's help! He can just put an arrow into the wall first and then paint a target around it. Hence, the protocol is "zero-knowledge."
answered 1 hour ago
Mikero
4,94111521
4,94111521
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63295%2fzero-knowledge-and-computational-indistinguishability%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password