Zero-Knowledge Proofs 1

Similar documents
Lecture Notes 20: Zero-Knowledge Proofs

Zero-Knowledge Proofs and Protocols

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

Lecture 15 - Zero Knowledge Proofs

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

Lecture 10: Zero-Knowledge Proofs

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Notes on Zero Knowledge

2 Natural Proofs: a barrier for proving circuit lower bounds

On the Power of Multi-Prover Interactive Protocols. Lance Fortnow. John Rompel y. Michael Sipser z. Massachusetts Institute of Technology

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Great Theoretical Ideas in Computer Science

Lecture 26: Arthur-Merlin Games

2 Evidence that Graph Isomorphism is not NP-complete

Lecture 18: Zero-Knowledge Proofs

Generalized Lowness and Highness and Probabilistic Complexity Classes

The (True) Complexity of Statistical Zero Knowledge. (Extended Abstract) 545 Technology Square. Cambridge, MA 02139

Interactive Proof System

Lecture 12: Interactive Proofs

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

In this chapter we discuss zero-knowledge proof systems. Loosely speaking, such proof

Notes for Lecture 25

Complexity-Theoretic Aspects of Interactive Proof Systems. Lance Jeremy Fortnow. B.A., Mathematics and Computer Science. Cornell University (1985)

Notes on Complexity Theory Last updated: November, Lecture 10

Cryptographic Protocols Notes 2

Computer Science A Cryptography and Data Security. Claude Crépeau

Cryptographic Protocols FS2011 1

Randomness in Interactive Proofs. (August 24, 1991) Abstract. Our main result, which applies to the equivalent form of IP known as Arthur-Merlin (AM)

CSCI 1590 Intro to Computational Complexity

Contents 1 Introduction The Basics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : A

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

How many rounds can Random Selection handle?

Zero-Knowledge Against Quantum Attacks

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

of trapdoor permutations has a \reversed sampler" (which given ; y generates a random r such that S 0 (; r) = y), then this collection is doubly-enhan

Introduction to Modern Cryptography. Benny Chor

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Theory of Computation Chapter 12: Cryptography

Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness

Pseudorandom Generators

On Monotone Formula Closure of SZK. Moti Yung x

Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs

How to Construct Constant-Round. Zero-Knowledge Proof Systems for NP. Oded Goldreich y Ariel Kahan z. March Abstract

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

CS151 Complexity Theory. Lecture 13 May 15, 2017

Interactive protocols & zero-knowledge

CS151 Complexity Theory. Lecture 14 May 17, 2017

Time and space classes

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

1. INTRODUCTION The fundamental notion of zero-knowledge was introduced by Goldwasser, Micali and Racko in [GMR1]. They considered a setting where a p

The Proof of IP = P SP ACE

PROBABILISTIC COMPUTATION. By Remanth Dabbati

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Pseudorandom Generators

Winter 2011 Josh Benaloh Brian LaMacchia

Theoretical Cryptography, Lectures 18-20

Lecture 17: Constructions of Public-Key Encryption

The Random Oracle Hypothesis is False. Pankaj Rohatgi 1. July 6, Abstract

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

CPSC 467: Cryptography and Computer Security

Notes for Lecture 27

An Introduction to Probabilistic Encryption

Another proof that BPP PH (and more)

Notes for Lecture 17

Computer Science Dept.

2 Message authentication codes (MACs)

interactive prover-verier pair that on input w exchanges at most f(jwj) messages such that: 1.) when w 2 L, the verier interacting with the prover acc

Uniform Derandomization

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

CPSC 467b: Cryptography and Computer Security

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Lecture 19: Interactive Proofs and the PCP Theorem

Proofs that Yield Nothing But Their Validity All Languages in NP Have Zero-Knowledge Proof Systems

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

n-party protocol for this purpose has maximum privacy if whatever a subset of the users can

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

x 2 +2 x 2 x 3 2x 2 +2x +1 (mod 5).

CPSC 467: Cryptography and Computer Security

1 Introduction An old folklore rooted in Brassard's paper [7] states that \cryptography" cannot be based on NPhard problems. However, what Brassard ha


COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Perfect Zero-Knowledge in Constant Rounds. 545 Technology Square. Cambridge, MA Abstract

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

ISSN Technical Report L Self-Denable Claw Free Functions Takeshi Koshiba and Osamu Watanabe TR May Department of Computer Science Tok

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

Concurrent Non-malleable Commitments from any One-way Function

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Commitment Schemes and Zero-Knowledge Protocols (2011)

CPSC 467b: Cryptography and Computer Security

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Interactive and probabilistic proof-checking

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Transcription:

Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras

Zero-Knowledge Proofs 2 Outline of the Talk Introduction Interactive Proof Systems Notion of Zero-knowledge Perfect zero-knowledge Proofs A Bit Commitment Scheme (Computational) Zero-knowledge Proofs Summary

Zero-Knowledge Proofs 3 PROOF SYSTEMS L 2 N P ) 9 a polynomial time computable predicate P (x; y) and a constant k s.t x 2 L () 9y(jyj jxj k )P (x; y) N P: the class of languages whose proof of membership can be veried eciently (prover innitely powerful). We require the proof be given rst and all at once. To model one party trying to convince another of the truth of some statement, we must allow parties to exchange several messages. Question: Would interaction add to the power of the above framework? Unfortunately NO, if the verier is deterministic. (Why?) Solution: Allow the verier to toss coins. So the verier is a polytime randomized program and the prover is all powerful. Leads to the notion of Interactive Proof Systems.

Zero-Knowledge Proofs 4 Interactive Proof Systems Defn: An interactive protocol (P; V ) is a protocol between Peggy and Vic. Peggy is all powerful and runs algorithm P, while Vic runs the polytime randomized algorithm V. The input to the protocol is a string x, known to both P and V. The two exchange a sequence of polynomially long messages m 1 ; m 2 ; : : : ; m p(jxj) chosen depending upon their coin tosses and previous messages. Assume Vic sends the odd-numbered messages and Peggy the even ones. Peggy is not aware of Vic's random choices. Finally Vic either accepts or rejects x. (P; V ) is an interactive proof system (IPS) for a language L if the following holds for each x: If x 2 L, then (P; V ) accepts x with prob. 1 2 jxj and if x 62 L, then the prob that x is accepted by (P 0 ; V ) for any algo P 0 replacing P is at most 2 jxj. IP is the class of languages that have an IPS. IP[k] is the set of languages that have an IPS exchanging only k messages.

Zero-Knowledge Proofs 5 Arthur-Merlin Games Defn: (Arthur-Merlin Games) Here, we have two parties: Arthur the verier and Merlin the prover. The protocol is similar to an interactive protocol except that Arthur's messages comprise of the outcomes of his coin tosses. The complexity class AM[k] is dened similarly. We abbreviate AM for AM[2]. Fact: BPP AM, N P AM. Theorem: (L.Babai) For all constant k, AM[k] = AM. Clearly languages recognized by Arthur-Merlin games are a subset of IP. However, the following deep and beautiful result shows that they aren't a proper subset. Theorem: (Goldwasser, Sipser) For any polynomial q(n), IP[q(n)] AM[q(n) + 2]. Theorem: (Goldreich, Mansour, Sipser) If L 2 AM[q], then 9 an Arthur-Merlin protocol with at most q + 1 moves where the error is restricted to inputs not in the language.

Zero-Knowledge Proofs 6 An IPS for Graph Non-Isomorphism Input: Two graphs G 1, G 2 each with vertex set f1; 2; : : : ; ng Vic: Pick i 1 ; i 2 ; : : : ; i n 2 f1; 2g n randomly so that each i j can be 1 or 2 with equal prob, independently of the others. Send H 1 ; H 2 ; : : : ; H n to Peggy where H j is obtained from G ij by randomly permuting its vertices. Peggy: For 1 j n, determine the value k j G kj = Hj. Send k 1 ; k 2 ; : : : ; k n to Vic. Vic: Accept Peggy's proof if i j = k j for 1 j n. 2 f1; 2g s.t Theorem: NON-ISO = f(g 1 ; G 2 ) : G 1 6 = G2 g 2 AM. Theorem: (Boppana, Hastad, Zachos) If co-n P AM, then PH p 2 = co-n P N P. Thus, co-n P is unlikely to have short interactive proofs. Corollary: If the graph isomorphism problem is N P-complete, then PH collapses to p 2.

Zero-Knowledge Proofs 7 Notion of Zero Knowledge Informally, an IPS for L is zero-knowledge if for each x 2 L, the prover tells the verier essentially nothing, other than that x 2 L, even if the verier is trying to trick the prover. Let (P; V ) be an IPS. V 's view of the interaction P $ V consists of all the messages between P and V and the random coin tosses of V. P $ V (x) denotes the distribution of views of the conversations between P and V over the random coin tosses of P. For a probabilistic TM M running in expected polytime, M(x) denotes the prob. distribution that assigns for each string the prob. that M on input x outputs. Distributions A(x); B(x) are statistically close if X 2f0;1g P r A(x) () P r B(x) () < jxj c 8 constant c > 0, for x long enough. They are polytime indistinguishable if for any polytime probabilistic algo p, P r(p(a(x)) = 1) P r(p(b(x)) = 1) < jxj c 8c, x long enough. Defn: P $ V is (computational) zero-knowledge (ZK) if for any V 9 a M V polytime indistinguishable. s.t (8x 2 L) P $ V (x) and M V (x) are

Zero-Knowledge Proofs 8 Defn: P $ V is perfect zero-knowledge (PZK) if for any V 9 a M V s.t (8x 2 L) P $ V (x) = M V (x). Defn: P $ V is statistical zero-knowledge (SZK) if for any V 9 a M V s.t (8x 2 L) P $ V (x) and M V (x) are statistically close. Perfect zero-knowledge proof for Graph Isomorphism Input: Two graphs G 1 and G 2 each having vertex set f1; 2; : : :; ng. Repeat the following n times: Peggy : Choose a random permutation of f1; 2; : : : ; ng. Send H, the image of G 1 under, to Vic. Vic : Choose i 2 f1; 2g randomly and send i to Peggy. Peggy : Compute a permutation of f1; 2; : : : ; ng s.t H is the image of G i under. Send. Vic : Check if H is the image of G i under. Vic accepts the proof i the check is satised in all the n rounds. The above is clearly an IPS. To prove perfect zero-knowledge of the above IPS, we give for any algo V of Vic, a simulation M V that forges the \view" of V with identical probability distribution.

Zero-Knowledge Proofs 9 Forging Algorithm for V for views for Graph Isomorphism View = (G 1 ; G 2 ) for j=1 to n do oldstate state(v ) repeat Choose i j = 1 or 2 at random. Choose j to be a random permutation of f1; 2; : : : ; ng. H j image of G ij under j. Call V with input H j, obtaining challenge i 0. j If (i j = i 0 ) concatenate (H j j; i j ; j ) to the end of View else reset V by dening state(v ) oldstate. until i j = i 0. j Theorem: 8x [x = (G 1 ; G 2 ) 2 ISO], P $ V (x) = M V (x) and hence the above IPS is perfect zero-knowledge. Quadratic Residues: QR = f(n; x) : x 2 Z n and x is a quadratic residue mod ng Assume Peggy and Vic are given (n; x), let m = dlog 2 ne.

Zero-Knowledge Proofs 10 A PZK protocol for Quadratic Residues The following is done m times: Peggy : Send Vic a random quadratic residue mod n, y. Vic : Send a random bit i. Peggy : If i = 0, send Vic a random square root w of y mod n; if i = 1, send a random square root of xy mod n. Vic : Check that either [i = 0 ^ w 2 y mod n] or [i = 1 ^ w 2 xy mod n], if not reject (n; x). Zero-Knowledge Proofs for Hard Problems The zero-knowledge proof for Graph isomorphism is interesting but it would be more useful to have a ZKPS for, say an N P- complete problem. Theorem: (Fortnow) Assume (P; V ) is an IPS for L that is statistical zero-knowledge w.r.t V. Then L 2 co-am. Hence if L 2 SZK, then L 2 AM. Corollary: If any N P-complete language has a statistical zero-knowledge proof, then PH collapses to the second level. We therefore now turn to computational zero-knowledge proofs. For this we need the technique of bit commitment.

Zero-Knowledge Proofs 11 A Bit Commitment Scheme A bit commitment scheme (BCS) is an encryption method that encrypts a bit into a blob. In general, it will be a function f: f0; 1g X! Y where X; Y are nite sets. An encryption of b is any value f(b; x), x 2 X. A BCS should satisfy two properties: concealing: For a bit b, Vic cannot determine b from the blob f(b; x). binding: Peggy can later \open" the blob by revealing the value of x used to encrypt b, to convince Vic that b was the value encrypted. It should not be possible to \open" a blob as both a 0 and a 1. Goldwasser-Micali Probabilistic Cryptosystem: Here n = pq, p; q distinct primes, and m 2 ~ QR(n) are public while p; q are known only to Peggy. In this BCS, X = Y = Z n and f(b; x) = m b x 2 mod n. This scheme is clearly binding, it is concealing if the Quadratic Residues problem is infeasible. Remark: To commit a bitstring, Peggy simply commits every bit independently.

Zero-Knowledge Proofs 12 A Zero-Knowledge protocol for Graph 3-colorability Input: A graph G = (V; E) with V = f1; 2; : : : ; ng, jej = m. Repeat the following steps m 2 times: Peggy : Let be a 3-coloring of G. Choose a random Vic permutation of f1; 2; 3g. For 1 i n, set c i = ((i)) and write c i as a bitstring as c i = c i;1 c i;2. Then for 1 i n, choose two random elements r i;1 ; r i;2 2 X, and compute R i;j = f(c i;j ; r i;j ), j = 1; 2. Send (R 1;1 ; R 1;2 ; ; R n;1 ; R n;2 ) to Vic. : Send a random edge fu; vg 2 E to Peggy. Peggy : Send (c u;1 ; c u;2 ; r u;1 ; r u;2 ) and (c v;1 ; c v;2 ; r v;1 ; r v;2 ) to Vic. Vic : Check that c u ; c v 2 f1; 2; 3g, c u 6= c v, R u;j = f(c u;j ; r u;j ) and R v;j = f(c v;j ; r v;j ), j = 1; 2. Vic : Accept the proof i the check succeeded in each of the m 2 rounds. Claim: The above is an Interactive Proof System for Graph 3-colorability.

Zero-Knowledge Proofs 13 A forging algorithm for Views for Graph 3-colorability Input: A graph G = (V; E) with V = f1; 2; : : : ; ng, jej = m. View=(G) for j = 1 to m 2 do (i) Choose an edge (u; v) 2 E at random (ii) Choose d = d 1 d 2 and e = e 1 e 2 to random distinct elements 2 f1; 2; 3g. (iii) For 1 i n, j = 1; 2, choose r i;j to be a random element of X. (iv) Compute R i;j to be f(1; r i;j ) if i 6= u; v, f(d j ; r i;j ) if i = u and f(e j ; r i;j ) if i = v. (v) Concatenate (R 1;1 ; ; R n;2 ; u; v; d 1 ; d 2 ; r u;1 ; r u;2 ; e 1 ; e 2 ; r v;1 ; r v;2 ) onto the end of View. Theorem: If f(; ) is a secure encryption, then the above is a zero-knowledge proof system for Graph 3-colorability. Using standard reductions, N P ZK if f is secure. Corollary: If one-way functions exist and PH does not collapse, then ZK 6= SZK.

Zero-Knowledge Proofs 14 Summary Randomization enables proof systems to recognize a much broader class IP. In fact a recent result due to A.Shamir shows that IP=PSPACE. Thus, the power of interaction is indeed phenomenal. The notion of Zero-knowledge: vital to sharing secrets without giving anything extra away. Randomization + Cryptographic encryption ) Zero-knowledge proofs (the class ZK). If one-way functions exist, then N P ZK. Very unlikely that N P SZK or SZK = ZK. Open whether P ZK = SZK.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback