Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras
Zero-Knowledge Proofs 2 Outline of the Talk Introduction Interactive Proof Systems Notion of Zero-knowledge Perfect zero-knowledge Proofs A Bit Commitment Scheme (Computational) Zero-knowledge Proofs Summary
Zero-Knowledge Proofs 3 PROOF SYSTEMS L 2 N P ) 9 a polynomial time computable predicate P (x; y) and a constant k s.t x 2 L () 9y(jyj jxj k )P (x; y) N P: the class of languages whose proof of membership can be veried eciently (prover innitely powerful). We require the proof be given rst and all at once. To model one party trying to convince another of the truth of some statement, we must allow parties to exchange several messages. Question: Would interaction add to the power of the above framework? Unfortunately NO, if the verier is deterministic. (Why?) Solution: Allow the verier to toss coins. So the verier is a polytime randomized program and the prover is all powerful. Leads to the notion of Interactive Proof Systems.
Zero-Knowledge Proofs 4 Interactive Proof Systems Defn: An interactive protocol (P; V ) is a protocol between Peggy and Vic. Peggy is all powerful and runs algorithm P, while Vic runs the polytime randomized algorithm V. The input to the protocol is a string x, known to both P and V. The two exchange a sequence of polynomially long messages m 1 ; m 2 ; : : : ; m p(jxj) chosen depending upon their coin tosses and previous messages. Assume Vic sends the odd-numbered messages and Peggy the even ones. Peggy is not aware of Vic's random choices. Finally Vic either accepts or rejects x. (P; V ) is an interactive proof system (IPS) for a language L if the following holds for each x: If x 2 L, then (P; V ) accepts x with prob. 1 2 jxj and if x 62 L, then the prob that x is accepted by (P 0 ; V ) for any algo P 0 replacing P is at most 2 jxj. IP is the class of languages that have an IPS. IP[k] is the set of languages that have an IPS exchanging only k messages.
Zero-Knowledge Proofs 5 Arthur-Merlin Games Defn: (Arthur-Merlin Games) Here, we have two parties: Arthur the verier and Merlin the prover. The protocol is similar to an interactive protocol except that Arthur's messages comprise of the outcomes of his coin tosses. The complexity class AM[k] is dened similarly. We abbreviate AM for AM[2]. Fact: BPP AM, N P AM. Theorem: (L.Babai) For all constant k, AM[k] = AM. Clearly languages recognized by Arthur-Merlin games are a subset of IP. However, the following deep and beautiful result shows that they aren't a proper subset. Theorem: (Goldwasser, Sipser) For any polynomial q(n), IP[q(n)] AM[q(n) + 2]. Theorem: (Goldreich, Mansour, Sipser) If L 2 AM[q], then 9 an Arthur-Merlin protocol with at most q + 1 moves where the error is restricted to inputs not in the language.
Zero-Knowledge Proofs 6 An IPS for Graph Non-Isomorphism Input: Two graphs G 1, G 2 each with vertex set f1; 2; : : : ; ng Vic: Pick i 1 ; i 2 ; : : : ; i n 2 f1; 2g n randomly so that each i j can be 1 or 2 with equal prob, independently of the others. Send H 1 ; H 2 ; : : : ; H n to Peggy where H j is obtained from G ij by randomly permuting its vertices. Peggy: For 1 j n, determine the value k j G kj = Hj. Send k 1 ; k 2 ; : : : ; k n to Vic. Vic: Accept Peggy's proof if i j = k j for 1 j n. 2 f1; 2g s.t Theorem: NON-ISO = f(g 1 ; G 2 ) : G 1 6 = G2 g 2 AM. Theorem: (Boppana, Hastad, Zachos) If co-n P AM, then PH p 2 = co-n P N P. Thus, co-n P is unlikely to have short interactive proofs. Corollary: If the graph isomorphism problem is N P-complete, then PH collapses to p 2.
Zero-Knowledge Proofs 7 Notion of Zero Knowledge Informally, an IPS for L is zero-knowledge if for each x 2 L, the prover tells the verier essentially nothing, other than that x 2 L, even if the verier is trying to trick the prover. Let (P; V ) be an IPS. V 's view of the interaction P $ V consists of all the messages between P and V and the random coin tosses of V. P $ V (x) denotes the distribution of views of the conversations between P and V over the random coin tosses of P. For a probabilistic TM M running in expected polytime, M(x) denotes the prob. distribution that assigns for each string the prob. that M on input x outputs. Distributions A(x); B(x) are statistically close if X 2f0;1g P r A(x) () P r B(x) () < jxj c 8 constant c > 0, for x long enough. They are polytime indistinguishable if for any polytime probabilistic algo p, P r(p(a(x)) = 1) P r(p(b(x)) = 1) < jxj c 8c, x long enough. Defn: P $ V is (computational) zero-knowledge (ZK) if for any V 9 a M V polytime indistinguishable. s.t (8x 2 L) P $ V (x) and M V (x) are
Zero-Knowledge Proofs 8 Defn: P $ V is perfect zero-knowledge (PZK) if for any V 9 a M V s.t (8x 2 L) P $ V (x) = M V (x). Defn: P $ V is statistical zero-knowledge (SZK) if for any V 9 a M V s.t (8x 2 L) P $ V (x) and M V (x) are statistically close. Perfect zero-knowledge proof for Graph Isomorphism Input: Two graphs G 1 and G 2 each having vertex set f1; 2; : : :; ng. Repeat the following n times: Peggy : Choose a random permutation of f1; 2; : : : ; ng. Send H, the image of G 1 under, to Vic. Vic : Choose i 2 f1; 2g randomly and send i to Peggy. Peggy : Compute a permutation of f1; 2; : : : ; ng s.t H is the image of G i under. Send. Vic : Check if H is the image of G i under. Vic accepts the proof i the check is satised in all the n rounds. The above is clearly an IPS. To prove perfect zero-knowledge of the above IPS, we give for any algo V of Vic, a simulation M V that forges the \view" of V with identical probability distribution.
Zero-Knowledge Proofs 9 Forging Algorithm for V for views for Graph Isomorphism View = (G 1 ; G 2 ) for j=1 to n do oldstate state(v ) repeat Choose i j = 1 or 2 at random. Choose j to be a random permutation of f1; 2; : : : ; ng. H j image of G ij under j. Call V with input H j, obtaining challenge i 0. j If (i j = i 0 ) concatenate (H j j; i j ; j ) to the end of View else reset V by dening state(v ) oldstate. until i j = i 0. j Theorem: 8x [x = (G 1 ; G 2 ) 2 ISO], P $ V (x) = M V (x) and hence the above IPS is perfect zero-knowledge. Quadratic Residues: QR = f(n; x) : x 2 Z n and x is a quadratic residue mod ng Assume Peggy and Vic are given (n; x), let m = dlog 2 ne.
Zero-Knowledge Proofs 10 A PZK protocol for Quadratic Residues The following is done m times: Peggy : Send Vic a random quadratic residue mod n, y. Vic : Send a random bit i. Peggy : If i = 0, send Vic a random square root w of y mod n; if i = 1, send a random square root of xy mod n. Vic : Check that either [i = 0 ^ w 2 y mod n] or [i = 1 ^ w 2 xy mod n], if not reject (n; x). Zero-Knowledge Proofs for Hard Problems The zero-knowledge proof for Graph isomorphism is interesting but it would be more useful to have a ZKPS for, say an N P- complete problem. Theorem: (Fortnow) Assume (P; V ) is an IPS for L that is statistical zero-knowledge w.r.t V. Then L 2 co-am. Hence if L 2 SZK, then L 2 AM. Corollary: If any N P-complete language has a statistical zero-knowledge proof, then PH collapses to the second level. We therefore now turn to computational zero-knowledge proofs. For this we need the technique of bit commitment.
Zero-Knowledge Proofs 11 A Bit Commitment Scheme A bit commitment scheme (BCS) is an encryption method that encrypts a bit into a blob. In general, it will be a function f: f0; 1g X! Y where X; Y are nite sets. An encryption of b is any value f(b; x), x 2 X. A BCS should satisfy two properties: concealing: For a bit b, Vic cannot determine b from the blob f(b; x). binding: Peggy can later \open" the blob by revealing the value of x used to encrypt b, to convince Vic that b was the value encrypted. It should not be possible to \open" a blob as both a 0 and a 1. Goldwasser-Micali Probabilistic Cryptosystem: Here n = pq, p; q distinct primes, and m 2 ~ QR(n) are public while p; q are known only to Peggy. In this BCS, X = Y = Z n and f(b; x) = m b x 2 mod n. This scheme is clearly binding, it is concealing if the Quadratic Residues problem is infeasible. Remark: To commit a bitstring, Peggy simply commits every bit independently.
Zero-Knowledge Proofs 12 A Zero-Knowledge protocol for Graph 3-colorability Input: A graph G = (V; E) with V = f1; 2; : : : ; ng, jej = m. Repeat the following steps m 2 times: Peggy : Let be a 3-coloring of G. Choose a random Vic permutation of f1; 2; 3g. For 1 i n, set c i = ((i)) and write c i as a bitstring as c i = c i;1 c i;2. Then for 1 i n, choose two random elements r i;1 ; r i;2 2 X, and compute R i;j = f(c i;j ; r i;j ), j = 1; 2. Send (R 1;1 ; R 1;2 ; ; R n;1 ; R n;2 ) to Vic. : Send a random edge fu; vg 2 E to Peggy. Peggy : Send (c u;1 ; c u;2 ; r u;1 ; r u;2 ) and (c v;1 ; c v;2 ; r v;1 ; r v;2 ) to Vic. Vic : Check that c u ; c v 2 f1; 2; 3g, c u 6= c v, R u;j = f(c u;j ; r u;j ) and R v;j = f(c v;j ; r v;j ), j = 1; 2. Vic : Accept the proof i the check succeeded in each of the m 2 rounds. Claim: The above is an Interactive Proof System for Graph 3-colorability.
Zero-Knowledge Proofs 13 A forging algorithm for Views for Graph 3-colorability Input: A graph G = (V; E) with V = f1; 2; : : : ; ng, jej = m. View=(G) for j = 1 to m 2 do (i) Choose an edge (u; v) 2 E at random (ii) Choose d = d 1 d 2 and e = e 1 e 2 to random distinct elements 2 f1; 2; 3g. (iii) For 1 i n, j = 1; 2, choose r i;j to be a random element of X. (iv) Compute R i;j to be f(1; r i;j ) if i 6= u; v, f(d j ; r i;j ) if i = u and f(e j ; r i;j ) if i = v. (v) Concatenate (R 1;1 ; ; R n;2 ; u; v; d 1 ; d 2 ; r u;1 ; r u;2 ; e 1 ; e 2 ; r v;1 ; r v;2 ) onto the end of View. Theorem: If f(; ) is a secure encryption, then the above is a zero-knowledge proof system for Graph 3-colorability. Using standard reductions, N P ZK if f is secure. Corollary: If one-way functions exist and PH does not collapse, then ZK 6= SZK.
Zero-Knowledge Proofs 14 Summary Randomization enables proof systems to recognize a much broader class IP. In fact a recent result due to A.Shamir shows that IP=PSPACE. Thus, the power of interaction is indeed phenomenal. The notion of Zero-knowledge: vital to sharing secrets without giving anything extra away. Randomization + Cryptographic encryption ) Zero-knowledge proofs (the class ZK). If one-way functions exist, then N P ZK. Very unlikely that N P SZK or SZK = ZK. Open whether P ZK = SZK.