10

I have learned that a zero-knowledge (ZK) proof system can be constructed by making use of the three-color problem. In this particular case, the proof system also happens to be proof of knowledge (POK), i.e. any prover necessarily needs to know a witness in order to convince the verifier.

Are there ZK proof systems which are not POK?

dkaeae
  • 580
  • 5
  • 16

2 Answers2

9

There are certainly ZK proof systems which are not known to be POK, and for which no knowledge extractor is known. For example, take the Goldreich-Kahan 4-round ZK proof system. However, do we know of a non-trivial proof system that is provably not a proof of knowledge? Not that I know of.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86
3

Sure. ​ For any total relation,

Protocol: ​ verifier accepts
Simulator: ​ run the adversary

is a zero-knowledge proof system, but if it's of knowledge
then the search problem is efficiently solvable.
There trivially exist easily-checkable total relations whose search problems are hard:
For example, consider the relation given by xRy if and only if ​ length(y) = 2length(x) .


As far as NP relations go:

If ​ RP = NP ​ then the knowledge extractor can just find a witness on its own, so answers have to be conditional. ​ ​ ​ This answer's proof system is not affected by the relation being TFNP.
The best argument I'm aware of for why there are probably TFNP problems that aren't efficiently solvable is Polynomial Generalized Pigeonhole Principle, given by xRy if and only if
[[it's not the case that x encodes an ordered triple whose entries, in order, are
[a positive integer in unary, a positive integer in binary, a circuit computing a function
from {0,1,2,3,...,((left_entry)-1)*(middle_entry)} to {0,1,2,3,...,(middle_entry)-1}]]
or [with t,n,f being those integers and the function respectively, y is a set of t distinct
elements of {0,1,2,3,...,(t-1)*n} and f gives the same output for each elements of y]].
(Consider collision-resistance of hash functions.)


This sort of thing might be what "the Goldreich-Kahan 4-round ZK proof system" is for,
but looking at his link's pdf does not reveal that system, so I'm mentioning anyway that a way in which one might naturally end up with a ZK proof system that's not a proof of knowledge
is relations over cyclic groups, where the prover shows knowledge of gx but not of x.