Frequently in our protocols, it is necessary for a participant to prove that it is behaving properly. For example, an election authority may need to certify that it has provided a valid public key for RSA encryption, or a voter may need to prove that it has actually voted a 0 (no) or a 1 (yes), rather than a 300. The difficulty is that often the prover cannot reveal too much information for fear of compromising the protocol; in our examples, the authority cannot demonstrate that the integer it has chosen is in fact the product of two large primes by revealing the primes, and the voter cannot decrypt the vote to reveal what it actually was. To overcome this problem, we will make frequent use of the concept of interactive proofs, pioneered by M. Rabin. Interactive proofs are a subclass of zero-knowledge proofs in which the prover is able to demonstrate probabilistically to a verifier's satisfaction that some property is true without revealing crucial information.
There are two broad categories of interactive proofs. The first approach can be used when there are many potential solutions and we need only find one that works. It does not matter which one, so long as the one we end up choosing is valid. Consider the case above, in which an authority wishes to prove that it has given an integer that is the product of two large primes, without revealing the prime factors themselves. In this case, as long as all we need is a valid such integer, we can ask the authority to produce n different candidate integers, each of which is valid. We then randomly choose one of them to actually use, and ask the authority to reveal the prime factors of the other n-1 integers. The authority will only be able to use a fraudulent key if the one we chose is the only corrupt one. Hence, the authority will remain undetected with probability 1/n. If the punishment for attempting to use false keys is severe enough, this serves as a useful deterrent.
We can reduce the probability of non-detection significantly if there is related information we can use to prove knowledge without revealing critical information. The classic example often given here is that of graph isomorphism. Determining if two graphs are isomorphic is known to be an NP-complete problem, and we can imagine a situation in which a prover wishes to prove to a verifier that graphs A and B are isomorphic without revealing the actual isomorphism. The prover and verifier can carry out the following interactive proof:
If the two graphs are not isomorphic or the prover does not know the isomorphism, then the prover's best strategy is to construct Cisomorphic to either A or B, and hope that the verifier does not choose the other one. Thus, without knowing the isomorphism, the prover escapes each iteration with probability 1/2. Over niterations, the prover is successful with probability only 1/2n. Note also the crucial property: The verifier can gain no information no matter how many times the protocol is run, since for each graph C, it is shown only its isomorphism to one of A and B. This is a much stronger form of interactive proof, in which probability of fraud decays exponentially rather than inversely with respect to the number of iterations conducted, as was with the case above.
Interactive proofs will be used ad nauseum in the voting protocols presented below.