Cryptography – ZeroKnowledge Proofs
 ( Complete ) For all \ ( x \in L\ ), a voucher says “ yes ” after interacting with the prover

( Sound ) For all \ ( x \notin L\ ), and for all provers \ ( P^*\ ), a voucher says “ no ” after interacting with \ ( P^*\ ) with probability at least \ ( 1/2\ ).
Reading: Cryptography – ZeroKnowledge Proofs

( Perfect ) For all verifiers \ ( V^*\ ), there exists a simulator \ ( S^*\ ) that is a randomize polynomial meter algorithm such that for all \ ( x \in L\ ) ,
\ [ \ { transcript ( ( P, V^* ) ( x ) ) \ } = \ { S^* ( x ) \ } \ ]
+ ( equality of distributions ) The being of a simulator implies that if \ ( x \in L\ ), then \ ( V^*\ ) can not learn more than the fact that \ ( x \in L\ ). Example: Let \ ( N = pq, x \in \mathbb { Z } _N^*\ ). Suppose we wish to prove that \ ( x\ ) is a quadratic residue in \ ( \mathbb { Z } _N^*\ ). then let \ ( x = \alpha^2\ ) ( modulo \ ( N\ ) ) .
 \ ( P\ ) : \ ( radius \leftarrow \mathbb { Z } _N\ ), sends \ ( a = r^2\ )
 \ ( V\ ) : sends \ ( b \leftarrow \ { 0,1\ } \ )
 \ ( P\ ) : sends \ ( z = roentgen \alpha^b\ )
 \ ( V\ ) : tests \ ( z^2 = ax^b\ ). If therefore, output “ yes ”, differently output signal “ no ”
completeness of this scheme is immediate. As for wisdom : if \ ( a\ ) is not a quadratic remainder, then the voucher says “ no ” with probability at least one onehalf ( i.e. when \ ( barn = 0\ ) ). If \ ( a\ ) is a quadratic residue, but \ ( x\ ) is not, then the voucher says “ no ” with probability at least one half ( i.e when \ ( b = 1\ ) ). claim : if \ ( x\ ) is not a quadratic residue in \ ( \mathbb { Z } ^*_N\ ) then for all \ ( P^*\ ), \ ( V\ ) says “ no ” with probability at least one half. It remains to show that the outline is perfect zeroknowledge. Let \ ( V^*\ ) be some voucher, and presuppose \ ( transcript ( ( P, V^* ) ( N, x ) ) = [ a, b, z ] \ ). then construct a blackbox simulator \ ( S^*\ ) as follows :
 Pick a random \ ( omega \leftarrow \mathbb { Z } ^*_N\ ), and a random \ ( boron \leftarrow \ { 0,1\ } \ ) .
 Set \ ( a=z^2 / x^b \mod N\ )
 Run \ ( V^* ( x ) \ ), give it \ ( a\ ) as inaugural message from prover .
 \ ( V^*\ ) outputs some \ ( b’\ ) in \ ( \ { 0,1\ } \ ). If \ ( b \neq b’\ ) then goto gradation 1, otherwise output \ ( [ a, b, omega ] \ ) as the transcript. This takes two iterations on average .
claim : \ ( \ { transcript ( P, V^* ) ( N, x ) \ } = \ { S^* ( N, x ) \ } \ ) ( equality of distributions ).
sketch of proofread : \ ( a\ ) is undifferentiated in the quadratic residues of \ ( \mathbb { Z } _N^*\ ) because \ ( x\ ) is a quadratic equation remainder. \ ( b\ ) is from the lapp distribution generated by \ ( V^*\ ) given \ ( a\ ). \ ( z\ ) saitsfies \ ( z^2 = ax^b\ ) and is from the correct definition. wisdom can be improved by repeating the protocol consecutive. One might consider repetition in parallel, i.e .
 \ ( P\ ) : \ ( r_1, …, r_n \leftarrow \mathbb { Z } _N\ ), sends \ ( a_1 = r_1^2, …, a_n = r_n^2\ )
 \ ( V\ ) : sends \ ( b_1, …, b_n \leftarrow \ { 0,1\ } \ )
 \ ( P\ ) : sends \ ( z_1 = r_1 \alpha^b_1, …, z_n = r_n alpha^b_n\ )
 \ ( V\ ) : tests \ ( z_i^2 = a_i x^b_i\ ) for \ ( one = 1, …, n\ ). If so, output “ yes ”, otherwise output “ no ”
This dodge is complete and fathom, but it is not clear how to build a simulator. ( We can lone guess all the \ ( b_i\ ) ‘s correctly with probability \ ( 1/2^n\ ). ) Theorem [KG ’89]: If \ ( L\ ) has a threeround perfect zero cognition proof with negligible cheating probability then \ ( L \in BPP\ ). Since it is believed that quadratic equation residuosity is not in BPP, it is consequently besides thought that no threeround powerfully sound perfect zero cognition protocol for quadratic residuosity exists. hence we introduce a weaker interpretation of nothing cognition : Computational ZK: \ ( ( P, V ) \ ) is a \ ( ( t, \epsilon ) \ ) zeroknowledge proof system for a language \ ( L\ ) if it is
 heavy
 dispatch
 computational ZK : for all verifiers \ ( V^*\ ) there exists a simulator \ ( S^*\ ) such that for all \ ( x \in L\ ), the distribution \ ( \ { transcript ( ( P, V^* ) ( x ) ) \ } \ ) is \ ( ( triiodothyronine, \epsilon ) \ ) indistinguishable from \ ( \ { S^* ( x ) \ } \ ) .
Theorem [GMW ’87]: If a \ ( ( metric ton, \epsilon ) \ ) bit commitment scheme exists, then all languages in \ ( NP\ ) have computational ZK validation. Definition: ( imprecise definition ) A \ ( ( triiodothyronine, \epsilon ) \ ) bit committedness scheme is defined as follows :
 Commiter has a bite \ ( b \in \ { 0,1\ } \ ), and sends \ ( perpetrate ( bacillus ) \in \ { 0,1\ } ^*\ ) ( a committedness to a moment \ ( b\ ) ) .

Commiter can open commitment as \ ( b’\ ) and the voucher can check that \ ( b = b’\ ).
Read more: A Few Thoughts on Cryptographic Engineering
This system should be : * binding : boundlessly knockdown commiter can ’ metric ton convert voucher that commitment is a committedness to \ ( bcomplex vitamin ‘ \neq b\ ). * sound : \ ( commit ( bacillus ) \ ) reveals no information about \ ( b\ ), i.e. for any piece \ ( b\in\ { 0,1\ } \ ), \ ( \ { commit ( boron ), b\ } \ ) is \ ( ( deoxythymidine monophosphate, \epsilon ) \ ) indistinguishable from \ ( \ { perpetrate ( bacillus ), roentgen  r\leftarrow\ { 0,1\ } \ } \ ). Example : oneway permutations imply commitment schemes : Let \ ( fluorine : \ { 0,1\ } ^n \rightarrow\ { 0,1\ } ^n\ ) be a oneway substitution. Choose \ ( r\leftarrow\ { 0,1\ } ^n\ ), and set \ ( give ( bacillus ) = [ degree fahrenheit ( r ), B ( r ) \oplus b ] \ ) where \ ( B\ ) is a hardcore bit of \ ( f\ ) .