3

It is well-known that the Schnorr identification protocol is honest-verifier perfect ZK because in the honest-verifier setting a simulator can choose (or know in advance) the verifier challenge.

From my reading it seems like Schnorr can be made (dishonest-verifier) ZK by reducing the domain of the challenge to $\{0, 1\}$. In this case, the simulator has access to a blackbox verifier that might emit a challenge $0$ or $1$ which it has to predict in advance. As such, the simulator might not be able to produce a correct transcript, but is able to produce one in $2$ attempts in expectation.

So far so good. What I don't understand is why is this OK? Since the simulator might abort/fail half of the time, doesn't this give the dishonest verifier adversary great odds to distinguish between a real prover transcript and a simulator transcript?

David 天宇 Wong
  • 1,595
  • 11
  • 27

1 Answers1

1

doesn't this give the dishonest verifier adversary great odds to distinguish between a real prover transcript and a simulator transcript?

The verifier is not the one distinguishing transcripts. The verifier is just an algorithm (treated as a black-box) that the simulator runs until the simulator is able to correctly guess the verifier's challenge. From the verifier's point of view, it is still interacting with the prover, but the verifier is reset whenever the simulator guesses the wrong challenge, so it has no memory of past attempts. In the definition of zero-knowledge, two transcripts are submitted to a distinguisher, one from a real interaction between prover and verifier, and one from a simulated transcript. If the distinguisher cannot tell which is the case with probability better than negligible, then the scheme is zero-knowledge.

lamontap
  • 1,119
  • 7
  • 14