Lecture 18: Zero-Knowledge Proofs

Similar documents
Lecture Notes 20: Zero-Knowledge Proofs

Zero-Knowledge Proofs and Protocols

Great Theoretical Ideas in Computer Science

Lecture 15: Interactive Proofs

Lecture 15 - Zero Knowledge Proofs

Zero-Knowledge Against Quantum Attacks

1 Recap: Interactive Proofs

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

Notes on Complexity Theory Last updated: November, Lecture 10

Lecture 26: Arthur-Merlin Games

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Lecture 12: Interactive Proofs

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

How many rounds can Random Selection handle?

2 Natural Proofs: a barrier for proving circuit lower bounds

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Theoretical Cryptography, Lectures 18-20

An Epistemic Characterization of Zero Knowledge

Notes for Lecture 25

Notes on Zero Knowledge

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness

Lecture 3,4: Universal Composability

Zero Knowledge and Soundness are Symmetric

Lecture 17: Interactive Proof Systems

CS151 Complexity Theory. Lecture 13 May 15, 2017

An Epistemic Characterization of Zero Knowledge

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture 10: Zero-Knowledge Proofs

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Zero-Knowledge Proofs 1

Zero-Knowledge Against Quantum Attacks

Notes for Lecture 27

Lecture 17: Constructions of Public-Key Encryption

1 Computational Problems

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Introduction to Modern Cryptography. Benny Chor

2 Evidence that Graph Isomorphism is not NP-complete

Lecture 13: Private Key Encryption

CPSC 467: Cryptography and Computer Security

CSCI 1590 Intro to Computational Complexity

From Weak to Strong Zero-Knowledge and Applications

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

On Constant-Round Concurrent Zero-Knowledge

Lecture 14: Secure Multiparty Computation

Interactive protocols & zero-knowledge

Cryptographic Protocols Notes 2

Probabilistically Checkable Arguments

Magic Functions. In Memoriam Bernard M. Dwork

A Note on Negligible Functions

Concurrent Non-malleable Commitments from any One-way Function

Lecture 26. Daniel Apon

Lecture 3,4: Multiparty Computation

Zero Knowledge with Efficient Provers

Notes for Lecture Notes 2

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Lecture 19: Interactive Proofs and the PCP Theorem

Limits on the power of quantum statistical zero-knowledge

6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti

Interactive protocols & zero-knowledge

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

Interactive Proofs 1

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Lecture 24: Approximate Counting

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Interactive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science

Winter 2011 Josh Benaloh Brian LaMacchia

CS151 Complexity Theory. Lecture 14 May 17, 2017

Lecture Notes, Week 10

Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition

Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP

arxiv: v1 [quant-ph] 11 Apr 2016

Commitment Schemes and Zero-Knowledge Protocols (2011)

The Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization

MTAT Complexity Theory December 8th, Lecture 12

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

From Secure MPC to Efficient Zero-Knowledge

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Pseudo-Deterministic Proofs

CMSC 858K Advanced Topics in Cryptography March 4, 2004

20.1 2SAT. CS125 Lecture 20 Fall 2016

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

How to Go Beyond the Black-Box Simulation Barrier

Homework 3 Solutions

2 P vs. NP and Diagonalization

Transcription:

COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be zero-knowledge if after reading the proof the verifier cannot (efficiently) perform computational tasks that she could not (efficiently) perform before. Just as soundness is a desirable property in an interactive proof system with a possibly malicious prover, zero-knowledge is a property that could be plausibly desired by a prover who suspects a malicious verifier. Let us state the formal definition of a zero-knowledge proof system, due to Goldwasser, Micali and Rackoff. Given an interactive proof system P, V for a language L and an input x, we define the view of V on x to be all messages sent from P to V as well as all random bits used by V during the execution of the protocol on x. We will write the view on x as View V [P (x) V (x)]. Also, we define an expected PPT Turing machine to be a TM whose expected running time is polynomial in the input length. Definition 1 (Zero-knowledge proof system) An interactive proof system P, V for a language L is zero-knowledge if for any PPT verifier V there exists an expected PPT simulator S such that x L, z {0, 1}, View V [P (x) V (x, z)] = S(x, z) As usual, P has unlimited computation power (in practice, P must be a randomized TM). Intuitively, the definition states that an interactive proof system P, V is zeroknowledge if for any verifier V there exists an efficient simulator S that can essentially produce a transcript of the conversation that would have taken place between P and V on any given input. Therefore, having a conversation with P cannot teach V to compute something she could not have computed before. 1 The string z in the definition plays the role of prior knowledge ; V cannot use any prior knowledge string z to mine information out of its conversation with P because we demand that if S is also given this prior knowledge then it can reproduce the conversation between V and P just as before. 1 Modulo the fact that S is slightly more powerful than V since it is allowed to run for expected polynomial time. 18-1

Observe that both S(x, z) and View V are distributions over random strings. Therefore the equality between these quantities in the definition means that these distributions are identical. This requirement is formally called perfect zero-knowledge. This can be relaxed by requiring that instead of being identical, the two distributions cannot be told apart by any efficient computation; this defines what is called computational zero-knowledge. In this lecture, zero-knowledge proofs will be perfect unless qualified otherwise. We can also relax the assumption that a simulator S exists for any V and instead require only that there exists some V, an honest verifier, for which there exists an S with the desired property. This yields what is called honest verifier zero-knowledge. 2 Graph isomorphism As a first example let us give a zero-knowledge proof system for graph isomorphism (GI). Given two graphs G 0 and G 1, P wants to convince V that he knows a permutation π such that π(g 0 ) = G 1. P could simply send π to V, but that is hardly zero-knowledge; we want to convince V that π is an isomorphism without revealing anything about it. The protocol is as follows. P V : P randomly chooses a permutation σ and a bit b {0, 1}, computes H = σ(g b ), and sends H to V. V P : V chooses a bit b {0, 1} and sends it to P. P V : P sends the permutation τ to V, where σ if b = b τ = σπ 1 if b = 0, b = 1 σπ if b = 1, b = 0 V accepts if and only if H = τ(g b ). This protocol has perfect completeness because if π really is an isomorphism then it will always be the case that τ(g b ) = σ(g b ). Moreover, assume for the moment that V is an honest verifier that chooses b randomly. In this case the protocol is also sound, for if π is not an isomorphism then τ(g b ) = σ(g b ) only if b = b, and this happens with probability 1/2 by our choice of verifier. We also claim that this is an honest verifier zero-knowledge protocol for the verifier V that chooses b randomly. To see why, note first that View V [P (G 0, G 1 ) V (G 0, G 1 )] = (b, H, σ). 18-2

The simulator S for V operates by randomly choosing b and σ and then outputting (b, σ(g b ), σ). S satisfies the definition because the distribution of S(G 0, G 1 ) is precisely the distribution of View V whenever G 0 = G1. What if we allow malicious verifiers? Is the protocol perfect zero-knowledge as well as honest verifier zero-knowledge? Lemma 1 The GI protocol above is perfect zero-knowledge. Proof. We must verify that a simulator S exists for an arbitrary verifier V. Given a verifier V let h (G 0, G 1, z, H) be the bit chosen by V (G 0, G 1, z) at the second step of the protocol, after having received H. Define S(G 0, G 1, z) to operate as follows: Randomly choose a permutation σ and b {0, 1}. Set H = σ(g b ) and b = h (G 0, G 1, z, H). If b = b output (b, H, σ), otherwise restart with a new σ, b. In order to show that S is a valid simulator it suffices to prove that if G 0 = G1 then (a) S runs in expected polynomial time and (b) the distribution of its output equals the distribution of View V. To prove the first claim, observe first that if G 0 = G1 then, since σ is random, h cannot depend on b. Therefore b and b are chosen independently, hence are equal with probability 1/2. Therefore S must run only twice in expectation before halting. The observation that Prob[b = b ] = 1/2 also proves that the distribution of S equals the distribution of View V, because it implies that whether or not S halts on a particular choice of {b, σ} is independent of {b, σ} and therefore of H. It follows that the distribution of the output (b, H, σ) is exactly the distribution of View V. 3 Computational zero knowledge Recall that P, V is a computational zero-knowledge protocol if it satisfies Definition 1 with the condition View V [P (x) V (x, z)] = S(x, z) weakened to the requirement that the two distributions be indistinguishable by efficient computations (we ll keep this discussion casual and therefore omit any formal definition of efficiency). 18-3

We write CZK for the class of languages that have computational zero-knowledge proofs. The following theorem is due to Goldreich, Micali and Wigderson. Theorem 2 If one-way functions exist then NP CZK. Let us sketch the proof. The existence of one-way functions allows bit commitment: it is possible for P to seal a bit b and communicate the sealed bit to V in a way that only reveals the bit to V with P s permission and also guarantees that P could not have changed b between the time it was sealed and the time it was revealed. To prove the theorem it suffices to give a computational zero-knowledge protocol for 3-coloring (3COL), which is NP-complete. Given a graph G with E edges, P wants to convince V that c : V (G) {R, G, B} is a valid 3-coloring. The protocol is as follows P permutes the three colors and seals the label on each vertex using bit commitment. V picks an edge (u, v) and send u, v to P. P reveals c(u) and c(v). V accepts if and only if c(u) c(v). We observe that this protocol has perfect completeness against an arbitrary prover: if c is a valid 3-coloring then c(u) c(v) for any edge (u, v). This protocol is also sound because if c is not a valid 3-coloring then c(u) = c(v) for some edge (u, v), meaning any prover fails to convince V with probability at least 1/ E. All very good, but is this a zero-knowledge protocol? It is, and the simulator S(G) utilizes the same restarting trick we saw in the GI protocol. S(G) operates as follows: Pick a random edge (u, v) and define a coloring c by R if w = u c(w) = G if w = v B otherwise Permute the three colors and seal the label on each vertex using bit commitment (just like P ). Query V for an edge (u, v ). If (u, v ) = (u, v), reveal c(u ), c(v ) and output (u, v, c(u), c(v)); otherwise restart. 18-4

It is easy to see that S(G) makes only E restarts in expectation hence has constant expected running time. It is also the case, though this is quite difficult to prove, that the distribution of its output is indistinguishable from the distribution of View V, which implies that our protocol for 3COL is computational zero-knowledge. We end with the following generalization of Theorem 2 due to Ben-Or, Goldreich, Goldwasser, Håstad, Kilian, Micali and Rogaway. Theorem 3 If one-way functions exist then IP = CZK. Clearly, CZK IP by definition. The opposite inclusion is proved by showing that any public-coin protocol has an equivalent computational zero-knowledge protocol. It is possible to construct such a protocol by, very roughly speaking, first having the prover use bit commitment to seal the transcript of an accepting interaction in the original publiccoin protocol. Then, the claim that the sealed bits encode an accepting transcript is an NP statement, hence by Theorem 2 can be verified using a computational zero-knowledge protocol. 18-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback