**Zero-Knowledge Protocols for Search Problems**

*Ben Berger and Zvika Brakerski*

**Abstract: **We consider natural ways to extend the notion of Zero-Knowledge (ZK) Proofs beyond decision problems. Specifically, we consider search problems, and define zero-knowledge proofs in this context as interactive protocols in which the prover can establish the correctness of a solution to a given instance without the verifier learning anything beyond the intended solution, even if it deviates from the protocol.
The goal of this work is to initiate a study of Search Zero-Knowledge (search-ZK), the class of search problems for which such systems exist. This class trivially contains search problems where the validity of a solution can be efficiently verified (using a single message proof containing only the solution). A slightly less obvious, but still straightforward, way to obtain zero-knowledge proofs for search problems is to let the prover send a solution and prove in zero-knowledge that the instance-solution pair is valid. However, there may be other ways to obtain such zero-knowledge proofs, and they may be more advantageous.
In fact, we prove that there are search problems for which the aforementioned approach fails, but still search zero-knowledge protocols exist. On the other hand, we show sufficient conditions for search problems under which some form of zero-knowledge can be obtained using the straightforward way.

**Category / Keywords: **Zero knowledge, search problems

**Original Publication**** (with minor differences): **ICALP

**Date: **received 10 May 2018, last revised 14 May 2018

**Contact author: **bnberger at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20180514:141804 (All versions of this report)

**Short URL: **ia.cr/2018/437

[ Cryptology ePrint archive ]