2

I'm studying the application of Zero-Knowledge Proofs (ZKP) to graph 3-colorability. I haven't fully understood the need for randomness in the verifier's choice of the edge to challenge the prover with.

If the verifier could choose the edge to visit, it would be sure in at most the number of edges steps that the prover has a valid coloring, assuming such a coloring exists, by visiting every edge. I understand that if the verifier were capable of doing that, the interactive nature of the proof would fail.

However, I'm not sure if that would affect the zero-knowledge property or if it would only cause the proof to have zero soundness error, making the proof non-interactive. In the latter case, where the proof remains zero-knowledge, it seems to me that the verifier, now deterministic, would be able to solve the NP problem in polynomial time without knowing the witness or interacting with the prover.

Could someone clarify this point? Specifically, does the randomness in the verifier's challenge play a role in maintaining the zero-knowledge property, or does it merely ensure soundness and interactivity? If not, how could that be compatible with the fact that the verifier gets to solve an NP problem in polynomial time without the witness?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Tom_tomato
  • 23
  • 4

1 Answers1

1

I haven't fully understood the need for randomness in the verifier's choice of the edge to challenge the prover with.

If the verifier were to choose the edge deterministically, a malicious prover could trick the verifier into accepting with high probability. This breaks the soundness.

If the verifier could choose the edge to visit, it would be sure in at most the number of edges steps that the prover has a valid coloring, assuming such a coloring exists, by visiting every edge.

(Even when choosing edges randomly, the verifier learns all colorings in expected polynomial time.)

The prover reveals the coloring for only one edge. Hence, the verifier cannot learn colorings of multiple edges. Otherwise, the protocol were trivially non-ZK.

If the verifier wants to reduce a malicious prover's success probability, they have to rerun the protocol, i.e., the prover uses a new permutation and commitment.

However, I'm not sure if that would affect the zero-knowledge property

Since the simulator can/does choose the valid edge randomly, he succeeds in expected polynomial time for any strategy the malicious verifier uses to choose the edge (both deterministic and randomized).

arLin
  • 46
  • 2