Notes for Lecture 3 Scribe : Sandro

About the notes: These notes serve as written reference for the topics not covered by the papers that are handed out during the lecture. The material contained therein is thus a strict subset of what is relevant for the final exam. This week, the notes discuss the definition of (perfect) zero-knowledge and a proof that the three-move protocols we have encountered so far (graph isomorphism, Fiat-Shamir, Guillou-Quisqater, Schnorr) are perfectly zero-knowledge [Mau09, Theorem 2]. Intuitively, an interactive proof (P, V) between a prover P and verifier V is zero-knowledge if after interacting with P , any verifier V has no more information than before executing the protocol. This is captured by the notion of a simulator S that reproduces V 's view in the proof without actually communicating with P. More precisely, consider the following two random experiments: 1. Prover P interacts with V ; let Z be the random variable corresponding to the resulting transcript and P Z its distribution. 2. Simulator S interacts with V and outputs a transcript; let Z denote the corresponding random variable andˆP Z its distribution. Definition 3.1. An interactive proof (P, V) is (perfectly) zero-knowledge if for every efficient V there exists an efficient simulator S (with access to V) producing a transcript Z that is distributed identically to the transcript Z in the actual interaction between P and The interactive proof is honest-verifier zero-knowledge (HVZK) if the simulator exists for (the honest) verifier V. In this course, when proving the zero-knowledge property, there will always be a single simulator S that works for all verifiers V. This is referred to as black-box simulation. The HVZK property is perhaps not very interesting per se, but it is a useful tool in proving (perfect) zero-knowledge. All three-move protocols in this course satisfy the even stronger