Proof of knowledge

In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds 'convincing' a verifier that it knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. We are mostly interested in what can be proven by polynomical time machines. As the program of the prover, does not necessarily spit out the knowledge itself, as is the case for zero-knowledge proofs, a machine with a different program, called the knowledge extractor is introduced to capture this idea.

A proof of knowledege for relation ${\displaystyle R}$ with knowledge error ${\displaystyle \kappa }$ is a two party protocol with a prover ${\displaystyle P}$ and a verifier ${\displaystyle V}$ with the following two properties:

1. Completeness: if ${\displaystyle (x,w)\in R}$, the prover P who knows witness ${\displaystyle w}$ for ${\displaystyle x}$ succeeds in convincing the verifier ${\displaystyle V}$ of his knowledge. More formally: ${\displaystyle Pr(P(x,w)\leftrightarrow V(x)\rightarrow 1)=1}$
2. Validity: Validity requires that the success probability of a knowledge extractor ${\displaystyle E}$ in extracting the witness, given oracle access to a possibly malicious prover ${\displaystyle {\tilde {P}}}$, must be at least as high as the success probability of the prover ${\displaystyle {\tilde {P}}}$ in convincing the verifier. This Property guarantees that no prover that doesn't know the witness can succeed in convincing the verifier.

This is the rigorous definition of Validity:

There exists a polynomial-time machine ${\displaystyle E}$, given oracle access to ${\displaystyle {\tilde {P}}}$, such that for every ${\displaystyle {\tilde {P}}}$ and every ${\displaystyle x\in \;dom\;R}$, it is the case that ${\displaystyle E^{{\tilde {P}}(x)}(x)\in R(x)\cup \{\bot \}}$ and ${\displaystyle Pr(E^{{\tilde {P}}(x)}(x)\in R(x))\geq Pr({\tilde {P}}(x)\leftrightarrow V(x)\rightarrow 1)-\kappa (x).}$

${\displaystyle R(x)}$ is the set of all witnesses for public value ${\displaystyle x}$, while the result ${\displaystyle \bot }$ signifies that the Turing machine ${\displaystyle E}$ did not come to a conclusion.

The knowledge error ${\displaystyle \kappa (x)}$ denotes the probability that the verifier ${\displaystyle V}$ might accept ${\displaystyle x}$, even though the prover does in fact not know a witness ${\displaystyle w}$. The knowledge extractor ${\displaystyle E}$ is used to express what is meant by the knowledge of a Turing machine. If ${\displaystyle E}$ can extract ${\displaystyle w}$ from ${\displaystyle {\tilde {P}}}$, we say that ${\displaystyle {\tilde {P}}}$ knows the value of ${\displaystyle w}$.

• Cryptographic protocol
• Zero-knowledge proof
• interactive proof system
• Topics in cryptography
• Zero-knowledge password proof

• On Defining Proofs of Knowledge