Zero-Knowledge Protocols

Transcription

1 he People Zero-Knowlege Protools 2 he wars Prover (Peggy) Claim I Verifier (Vi) S Seret Deision 2 {true, false} zero-knowlege protool allows Peggy to Convine Vi that her laim is true an that she knows S Without revealing anything beyon that Peggy 3 Vi Claim I Seret S Stuent nother stuent I know how to solve the homework problem Peggy s solution n Internet user server I have a vali passwor the passwor Mathematiian he Clay Institute I have a proof that P is not equal to NP he proof 4

2 Claim I Prover (Peggy) li-aba s Zero-Knowlege Protool Verifier (Vi) S Seret Deision 2 {true, false} zero-knowlege protool allows Peggy to Convine Vi that her laim is true Without revealing anything beyon that Peggy Vi Claim I Seret S Stuent nother stuent I know how to solve the homework problem Peggy s solution n Internet user server I have a vali passwor the passwor Mathematiian he Clay Institute I have a proof that P is not equal to NP he proof 5 MW[, ] = Magi Wors opening the! portal MW[, ] = Magi Wors opening the! portal his story is use to eplain zero-knowlege in many plaes. Inluing Wikipeia. ut it oesn t make a lot of sense. We will use Joseph Jaeger s variant. 6 li aba s ZK Protool Peggy has seret S 2 {MW[, ], MW[, ]} li aba s ZK Protool Peggy oes not want Vi to know whih of the two magi wors she has. If Peggy knows MW[,] : If Peggy knows MW[,] : Peggy goes to Peggy goes to E E Final step, in either ase: Vi goes to E C {, } Peggy, please appear at C If C = Why Peggy an appear at whatever sie Vi requests. Vi goes to E C {, } Peggy, please appear at C : If Peggy s laim is true, meaning she knows either MW[,] or MW[,], an both parties follow the protool, then Vi will aept. If C = 7 8

3 li aba s ZK Protool li aba s ZK Protool : If Peggy s laim is true, meaning she knows either MW[,] or MW[,], an both parties follow the protool, then Vi will aept. Sounness: If Peggy s laim is false, meaning she knows neither MW[,] nor MW[,], then Vi will rejet with probability at least /2, even if Peggy heats, meaning oes not follow the presribe protool. Why eating Peggy an start at any X 2 {, } of her hoie, but Vi piks C at ranom an heating Peggy annot appear at C 6= X. : If Peggy s laim is true, meaning she knows either MW[,] or MW[,], an both parties follow the protool, then Vi will aept. Sounness: If Peggy s laim is false, meaning she knows neither MW[,] nor MW[,], then Vi will rejet with probability at least /2, even if Peggy heats, meaning oes not follow the presribe protool. Zero-knowlege: If Peggy s laim is true, an Peggy follows the protool, then Vi will not learn whih of the two serets MW[,], MW[,] Peggy knows. Why Regarless of the seret, Vi sees Peggy appearing at whatever sie he requests. 9 0 li aba s ZK Protool li aba s ZK Protool Pegg s laim is Vi will RUE always aept Sounness FLSE heating aept with probability at most /2 Zero-knowlege RUE not learn whih of the two serets Peggy knows Pegg s laim is Vi will RUE always aept Sounness FLSE heating aept with probability at most /2 Zero-knowlege RUE not learn whih of the two serets Peggy knows his story may not make omplete sense. o make zero-knowlege sensible, we nee DEFINIIONS. he efinitions are intriguing: how an one mathematially apture the ``knowlege learne by interating with another party 2

4 Some math efinitions Zero-knowlege protool for Quarati Resiuosity Let N be an integer. We say that 2 is a square-root of X 2 moulo N if 2 mo N = X. We say that X 2 is a square, or quarati resiue, moulo N, if it has a square root moulo N. SR(N, X) = { 2 : X = 2 mo N } he set of square roots of X moulo N QR(N ) = {X 2 : SR(N, X) 6= ;} QR = {(N, X) : N he set of quarati resiues moulo N an X 2 QR(N )}. he language of quarati resiues Eample: Let N = mo SR(, 5) = {4, 7} SR(, 6) = ; QR() = {, 3, 4, 5, 9} Fat: Let X 2. hen X 2 QR(N ) if an only if X Fat: Let, X 2 3. hen 2 SR(N, X) if an only if QR(N ) = {X 2 : SR(N, X) 6= ;} QR = {(N, X) : N an X 2 QR(N )}. he language of quarati resiues Input: Question: Is Input: N Fin: Some X (N) Input: Fin: square root of X moulo N his is easy: Pik an return X 2 mo N. mo N 2 SR(N, X mo N ). Verifier Vi oth parties have, the ommon input Peggy laims that is. Peggy has suh that 2 mo N = X Definition: Vi aepts if = true Return 2 {true, false} he protool is the presribe, shown steps for the parties. party an follow the protool (it is ) or not (it is heating). Vi is always, but not so Peggy. hese problems are har: here are no (known) effiient (polynomial-time) algorithms for them. ut easy in some ases: here are polynomial-time algorithms when N is prime. 5 Proving quarati resiuosity he set of square roots of X moulo N he set of quarati resiues moulo N mo N 2 QR(N ). 4 Compleity of QR SR(N, X) = { 2 : X = 2 mo N } is Vi will always aept Sounness not heating aept with probability at most /2 Zero-knowlege not learn 6

5 non-zk protool Verifier Vi Peggy has suh that 2 mo N = X non-zk protool Verifier Vi (2 mo N = X) ; Return (2 mo N = X) ; Return Sounness: heating (2 mo N = X) ; Return is Vi will always aept 7 Vi will always aept not heating Verifier Vi Peggy has suh that 2 mo N = X 8 Splitting Suppose we split up X as: X = Y mo N (2 mo N = X) ; Return Fat: p p Y = = Zero-knowlege for some, Y 2 If ( 2 QR(N ) an Y 2 QR(N )) then X 2 QR(N ) If X 62 QR(N ) then ( 62 QR(N ) or Y 62 QR(N )) Proof Intuition: Sounness hen we have: never aept non-zk protool is Sounness ut X 62 QR(N ) means there oes not eist suh that 2 mo N = X, so Vi will return = false. Verifier Vi is Vi will always aept not heating Proof, formally: never aept learn, so ZK fails 9 p p Y X We are given that 2 QR(N ), so = 2 mo N for some 2 We are given that Y 2 QR(N ), so Y = y 2 mo N for some y 2 Let w = y mo N hen w2 mo N = 2 y 2 mo N = Y mo N ut we are given that Y mo N = X So w2 mo N = X So X 2 QR(N ) 20

6 Splitting for zero knowlege oth parties have Peggy laims that is. Peggy has suh that 2 mo N = X Verifier Vi Peggy splits up X as: ; X (mo N )) ; Return Let Y = X mo N, so that X = Y mo N y assumption X 62 QR(N ) So by Fat either 62 QR(N ) or Y 62 QR(N ) So = false with probability at least /2 Sounness 2 ; Vi will always aept aept with probability at most /2 Sounness Zero-knowlege 23 (2 ) mo N X mo N Vi will always aept he ZK protool for QR mo N Verifier Vi mo N {0, } (2 X (mo N )) ; Return = mo N is a ranom square root of the ranom square X mo N is not heating X (mo N )) ; Return )2 mo N {0, } (2 (2 {0, } is Verifier Vi 22 Sounness mo N = ZK: oes not reveal a square root of X 2 = (2 ) p If = 0 then Peggy sens = p If = then Peggy sens = Y Sounness: If X is not (N) then one of the two Claims is false, so Vi rejets with probability at least /2 Vi piks a bit at ranom an asks: Peggy, please prove Claim mo N 2 mo N = ( hen she makes two laims: Claim 0: 2 QR(N ) Y 2 QR(N ) Claim : Verifier Vi X = Y mo N for some, Y 2 2 Peggy oes not want to reveal Return 2 {true, false} he ZK protool for QR is Vi will always aept not heating aept with probability most /2 learn nothing more about than he knew before 24

7 Defining an proving ZK for Quarati Resiuosity is Sounness not heating Zero-knowlege Vi will always aept aept with probability most /2 learn nothing more about than he knew before Note for eperts: What we efine here is -verifier, perfet zero knowlege for the QR protool. ut what eatly oes it mean that this protool is zero knowlege Net we give a DEFINIION an show that it is met r(p,v ) ((N, X), ) ransripts 2 ; mo N Verifier Vi mo N {0, } (2 his algorithm generates transripts Simulation ; 2 mo N We all these transripts real {0, } he algorithm takes the seret as input mo N (,, ) ZK Intuition: he information onveye by the protool is the Return transript. X (mo N )) ; Return ZK efinition iea: (P,V) is zero knowlege if a transript, that looks just like a real one, an be (effiiently) generate, given but not given. he protool is apture by the pair (P, V ) of algorithms esribing the behavior of the prover an verifier epite above. We want to efine what it means for this pair to be zero-knowlege for the language QR. protool transript is a possible sequene (,, ) of messages ehange. r(p,v ) ((N, X), ) his algorithm generates transripts ; 2 mo N {0, } mo N (,, ) Return Note: he algorithm takes the seret as input to o this! wo new members of the ast of haraters Simulator S akes input an generates a transript that is suppose to look like a real one. S oes NO get input! o show that our protool is ZK, we nee to ehibit a goo simulator S. It fools D D S 27 Distinguisher D akes input an tests whether was generate by r or by S 28 b0

8 Let (P,V) be the prover-verifier pair efining the protool. Let S be a aniate simulator. Simulation he aversary playing this game is the istinguisher D. Game ZK(P,V ),S Initialize b {0, } ransript((n, X), ) If (2 mo N 6= X) then return If (b = ) then r(p,v ) ((N, X), ) Else S((N, X)) Return Finalize(b0 ) Return (b0 = b) Probability that the game returns true when run with aversary D z } { D vzk (P,V ),S (D) = 2 Pr[ZK(P,V ),S ] goo! z } { Def: S is a zk simulator for (P, V ) over QR if vzk (P,V ),S (D) = 0 for all istinguishers D. ; 2 mo N mo N Verifier Vi {0, } (2 mo N X (mo N )) ; Return {0, } (2 X (mo N )) ; Return zk simulator Effiient No X (mo N ). his operation annot be effiiently performe. 30 ; simulator for the QR protool Simulator S 2 ((N, X)) SR(N, X) r(p,v ) ((N, X), ) Return simulator for the QR protool mo N Verifier Vi S((N, X)) must return = (,, ) suh that 2 Polynomial time, in length of input to S Here, O(k 3 ), where k is the length of N 29 ; 2 ask: Ehibit an effiient simulator S suh that vzk (P,V ),S (D) = 0 for all istinguishers D. Def: (P, V ) is a zero-knowlege protool for language QR if there eists an effiient zk simulator S for (P, V ) over QR. o show that our protool is ZK, we nee to ehibit an effiient zk simulator S. simulator for the QR protool 2 mo N mo N Verifier Vi {0, } (2 X (mo N )) ; Return ask: Ehibit an effiient simulator S suh that vzk (P,V ),S (D) = 0 for all istinguishers D. ask: Ehibit an effiient simulator S suh that vzk (P,V ),S (D) = 0 for all istinguishers D. S((N, X)) must return = (,, ) suh that 2 S((N, X)) must return = (,, ) suh that 2 Simulator S 0 ((N, X)) ; 2 mo N 0 ; mo N (,, ) Return X (mo N ). ek: X mo N = (2 ) = ( 2 Simulator S 0 ((N, X)) ; 2 mo N 0 ; mo N (,, ) Return X 0 mo N ) mo N = 2 mo N ttak: Looking goo ut we always have = 0! zk simulator Effiient 3 zk simulator Effiient No X (mo N ). Distinguisher D ransript((, 9)) (,, ) If ( = 0) then return 0 else return vzk (P,V ),S 0 (D) = /2 32

9 ; simulator for the QR protool! 2 mo N mo N Verifier Vi {0, } (2 X (mo N )) ; Return ask: Ehibit an effiient simulator S suh that vzk (P,V ),S (D) = 0 for all istinguishers D. S((N, X)) must return = (,, ) suh that 2 Simulator S((N, X)) {0, } ; 2 X mo N (,, ) Return X X mo N = ( 2 Verifier Vi mo N mo N {0, } (2 X (mo N )) ; Return (mo N ). X ) = 2 X ; 2 he trik is for the simulator to pik the omponents of the transript out of orer: first it piks, an then it omputes to math. ek: simulator for the QR protool! = 2 mo N X mo N X mo N Simulator S((N, X)) {0, } ; 2 X mo N (,, ) Return Looking goo n it is goo zk simulator Effiient 33 zk simulator Effiient 34 Zero-knowlege beyon Quarati Resiuosity Simulator S((N, X)) {0, } ; 2 X mo N (,, ) Return We gave a efinition of what it means for the above protool to be ZK. o show that this efinition was met, we ehibite the above simulator

10 Researh Utility In theory, zero-knowlege has lots of appliations. Muh reent work on effiient implementations. In systems for anonymous reentials an smart ontrats. People who work on it like to laim it is pratial. ut in pratie, usage is limite. Researh on zero-knowlege protools Consiers ifferent forms: perfet, statistial, omputational, onurrent, malleable, non-malleable, reset-seure, non-interative, suint, Gives lots of protools: For NP languages, for graph non-isomorphism, for PSPCE, with onstant rouns, Not everything ool is atually useful. We have other, more pratial ways to solve real problems