0

What is the simplest known scheme that allows one to, given an input x : {0,1}* for which F(x) == y where F : {0,1}* -> {0,1}*, elaborate a proof p : {0,1}* such that V(p, y, F) iff F(x) == y?

MaiaVictor
  • 1,365
  • 8
  • 16

1 Answers1

1

What is the simplest known scheme that allows one to, given an input x : {0,1}* for which F(x) == y where F : {0,1}* -> {0,1}, elaborate a proof p : {0,1} such that V(p, y, F) iff F(x) == y?

First, in your definition the verifier needs to know $F,y$ and $p$, as he uses those in the verification process.

As @RickyDemer pointed out, if $F$ is some invertible function, the zero knowledge property trivially holds - but that might not be what you wanted:

  • If $F$ is invertible, the verifier can calculate $F^{-1}(y) = x$
  • Knowing $x$ and the distribution of the random coins used in the proof, the verifier can just act like the prover.

However, this is probably not what you had in mind with zero knowledge in the title. It does not mean, the verifier can't learn $x$. In order to achieve that, we need that $F$ is some kind of a one-way function. If we model the prover as computationally unbound, we could also assume that the evaluation of $F$ is super-polynomial, and in that case the polynomially bound verifier could not act like the unbounded prover - but then any verification would most likely also be super-polynomial.

If we require $F$ to be a one-way function of some kind, a proof of knowing a preimage can take different forms, depending on the function $F$. The most common and simple ones utilize algebraic structures and known hard problems like the discrete logarithm. More generally, for any NP-complete problem you can create a zero knowledge proof (assuming one-way functions exist), and graph coloring is a classic example. For non-algebraic statements, there is also some research, but it's much more complicated. Here are two related questions, which have some relevant references:

tylo
  • 12,864
  • 26
  • 40