Non-Interactive Zero Knowledge (II)

Similar documents
Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 3: Interactive Proofs and Zero-Knowledge

6.842 Randomness and Computation Lecture 5

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Interactive protocols & zero-knowledge

CS Lecture 29 P, NP, and NP-Completeness. k ) for all k. Fall The class P. The class NP

1 Recap: Interactive Proofs

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine.

Intro to Theory of Computation

X = X X n, + X 2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Interactive protocols & zero-knowledge

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 20

CS151 Complexity Theory. Lecture 13 May 15, 2017

Pr[X = s Y = t] = Pr[X = s] Pr[Y = t]

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Notes on Complexity Theory Last updated: November, Lecture 10

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

CS5371 Theory of Computation. Lecture 18: Complexity III (Two Classes: P and NP)

How many rounds can Random Selection handle?

Lecture 15 - Zero Knowledge Proofs

Handout 5. α a1 a n. }, where. xi if a i = 1 1 if a i = 0.

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Notes for Lecture 25

CS154, Lecture 13: P vs NP

Lecture 24: Randomized Complexity, Course Summary

Lecture 2 Sep 5, 2017

Randomized Algorithms Multiple Choice Test

Approximate Counting and Markov Chain Monte Carlo

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

Symmetric Encryption

Notes on Zero Knowledge

The space complexity of approximating the frequency moments

III. Authentication - identification protocols

Topic: Sampling, Medians of Means method and DNF counting Date: October 6, 2004 Scribe: Florin Oprea

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

Lecture 4: Two-point Sampling, Coupon Collector s problem

A Threshold of ln(n) for approximating set cover

ACO Comprehensive Exam October 14 and 15, 2013

1 Locally computable randomized encodings

CPSC 536N: Randomized Algorithms Term 2. Lecture 9

The Laws of Cryptography Zero-Knowledge Protocols

CS154, Lecture 13: P vs NP

Show that the following problems are NP-complete

CS286.2 Lecture 8: A variant of QPCP for multiplayer entangled games

CPSC 467: Cryptography and Computer Security

CS Homework Chapter 6 ( 6.14 )

Chapter 2 : Perfectly-Secret Encryption

Expectation of geometric distribution

CS Lecture 28 P, NP, and NP-Completeness. Fall 2008

6.842 Randomness and Computation March 3, Lecture 8

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

20.1 2SAT. CS125 Lecture 20 Fall 2016

HW11. Due: December 6, 2018

Lecture 4 : Quest for Structure in Counting Problems

CS154, Lecture 15: Cook-Levin Theorem SAT, 3SAT

Lecture 15: Interactive Proofs

Lecture 10: Zero-Knowledge Proofs

Lecture 13: Seed-Dependent Key Derivation

Probabilistically Checkable Arguments

So far we discussed random number generators that need to have the maximum length period.

Lecture 17: Interactive Proof Systems

Lecture 22: Counting

CS 6260 Applied Cryptography

CSE525: Randomized Algorithms and Probabilistic Analysis April 2, Lecture 1

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Winter 2011 Josh Benaloh Brian LaMacchia

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 2 Luca Trevisan August 29, 2017

Lecture 26: Arthur-Merlin Games

Random Variable. Pr(X = a) = Pr(s)

Algorithms and Theory of Computation. Lecture 19: Class P and NP, Reduction

Homework 4 Solutions

Lecture 17: Constructions of Public-Key Encryption

Time to learn about NP-completeness!

RECAP How to find a maximum matching?

1 Maintaining a Dictionary

Randomness and Computation March 13, Lecture 3

CSCE 551 Final Exam, Spring 2004 Answer Key

Randomized Complexity Classes; RP

CS261: A Second Course in Algorithms Lecture #18: Five Essential Tools for the Analysis of Randomized Algorithms

Lecture Examples of problems which have randomized algorithms

Lecture 7: ɛ-biased and almost k-wise independent spaces

Background: Lattices and the Learning-with-Errors problem

Chernoff Bounds. Theme: try to show that it is unlikely a random variable X is far away from its expectation.

CSCI 1590 Intro to Computational Complexity

Lecture Notes CS:5360 Randomized Algorithms Lecture 20 and 21: Nov 6th and 8th, 2018 Scribe: Qianhang Sun

The Probabilistic Method

1 Randomized Computation

EECS 70 Discrete Mathematics and Probability Theory Fall 2015 Walrand/Rao Final

Theoretical Cryptography, Lecture 10

Expectation of geometric distribution. Variance and Standard Deviation. Variance: Examples

Lecture Notes on Secret Sharing

CS 151 Complexity Theory Spring Solution Set 5

Transcription:

Non-Interactive Zero Knowledge (II) CS 601.442/642 Modern Cryptography Fall 2017 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 1 / 18

NIZKs for NP: Roadmap Last-time: Transformation from NIZKs in hidden-bit model to NIZKs in common random string model Today: NIZKs for NP in the hidden-bit model Homework: Non-adaptive NIZKs to Adaptive NIZKs S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 2 / 18

Hamiltonian Graphs Definition (Hamiltonian Graph) Let G = (V, E) be a graph with V = n. We say that G is a Hamiltonian graph if it has a Hamiltonian cycle, i.e., there are v 1,..., v n V s.t. for all i [n]: (v i, v (i+1) mod n ) E Fact: Deciding whether a graph is Hamiltonian is NP-Complete. Let L H be the language of Hamiltonian graphs G = (V, E) s.t. V = n Today: NIZK proof system for L H in the hidden-bit model S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 3 / 18

Notation Definition (Adjacency Matrix) A graph G = (V, E) with V = n, can be represented as an n n adjacency matrix M G of boolean values such that: { 1 if (i, j) E M[i, j] = 0 otherwise Cycle Matrix: A cycle matrix is a boolean matrix that corresponds to a graph that contains a Hamiltonian cycle and no other edges Permutation Matrix: A permutation matrix is a boolean matrix such that each row and each column has exactly one entry equal to 1 Fact: Every cycle matrix is a permutation matrix, but the converse is not true. For every n, there are n! permutation matrices, but only (n 1)! cycle matrices S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 4 / 18

NIZKs for L H in Hidden-Bit Model Two Steps: Step I. NIZK (K 1, P 1, V 1 ) for L H in hidden-bit model where K produces (hidden) strings r with a specific distribution: each r represents an n n cycle matrix Step II. Modify the above construction to obtain (K 2, P 2, V 2 ) where the (hidden) string r is uniformly random S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 5 / 18

Step I Construction of (K 1, P 1, V 1 ) for L H : K 1 (1 n ): Output r {0, 1} n2 s.t. it represents an n n cycle matrix M c P 1 (r, x, w): Execute the following steps: Parse x = G = (V, E) s.t. V = n, and w = H where H = (v 1,..., v n ) is a Hamiltonian cycle in G Choose a permutation ϕ : V {1,..., n} that maps H to the cycle in M c, i.e., for every i [n]: M c [ϕ(v i ), ϕ(v (i+1) mod n )] = 1 Define I = {ϕ(u), ϕ(v) M G [u, v] = 0} to be the set of non-edges in G Output (I, ϕ) S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 6 / 18

Step I (contd.) Construction of (K 1, P 1, V 1 ) for L H : V 1 (I, r I, ϕ): Execute the following steps: Parse r I = {M c [u, v]} (u,v) I Check that for every (u, v) I, M c [u, v] = 0 Check that for every (u, v) I, M G (ϕ 1 (u), ϕ 1 (v)) = 0 If both the checks succeed, then output 1 and 0 otherwise Completeness: An honest prover P can always find a correct mapping ϕ that maps H to the cycle in M c Soundness: If G = (V, E) is not a Hamiltonian graph, then for any mapping ϕ : V {1,..., n}, ϕ(g) will not cover all the edges in M c. There must exist at least one non-zero entry in M c that is revealed as a non-edge of G S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 7 / 18

Step I (contd.) Zero Knowledge: Simulator S performs the following steps: Sample a random permutation ϕ : V {1,..., n} Compute I = {ϕ(u), ϕ(v) M G [u, v] = 0} For every (a, b) I, set M c [a, b] = 0 Output (I, {M c [a, b]} (a,b) I, ϕ) It is easy to verify that the above output distribution is identical to the real experiment S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 8 / 18

Step II: Strategy Define a deterministic procedure Q that takes as input a (sufficiently long) random string r and outputs a biased string s that corresponds to a cycle matrix with inverse polynomial probability 1 l(n) If we feed Q n l(n) random inputs, then with high probability, at least one of the outputs will correspond to a cycle matrix In the NIZK construction, the (hidden) random string will be r = r 1,..., r n l(n) For every i, the prover will try to compute a proof using s i = Q(r i ) At least one s i will contain a cycle matrix, so we can use the NIZK proof system from Step I S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 9 / 18

Procedure Q Let r be a random string s.t. r = 3 log n n 4 Procedure Q(r): Parse r = r 1,..., r n 4 s.t. i, r i = 3 log n Compute s = s 1,..., s n 4, where: { 1 if ri = 111 1 s i = 0 otherwise Define an n 2 n 2 boolean matrix M consisting of entries from s If M contains an n n sub-matrix M c s.t. M c is a cycle matrix, then output (M, M c ), else output (M, ) S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 10 / 18

Analysis of Q Notation. Let Good be the set of outputs of Q( ) that contain a cycle matrix and Bad be the complementary set Lemma For a random input r, Pr[Q(r) Good] 1 3n 3 Let M be an n 2 n 2 matrix computed by Q on a random input r. We will prove the above lemma via a sequence of claims: Claim 1: M contains exactly n 1 s with probability at least 1 3n Claim 2: M contains a permutation sub-matrix with probability at least 1 3n 2 Claim 3: M contains a cycle sub-matrix with probability at least 1 3n 3 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 11 / 18

Analysis of Q (contd.) Proof of Claim 1: Let X be the random variable denoting the number of 1 s in M X follows the binomial distribution with N = n 4, p = 1 n 3 E(X) = N p = n Var(X) = Np(1 p) < n Recall Chebyshev s Inequality: Pr [ X E(X) > k ] Var(X) k 2 Setting k = n, we have: Observe: 2n i=1 [ ] Pr X n > n 1 n [ ] Pr[X = i] = 1 Pr X n > n > 1 1 n S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 12 / 18

Analysis of Q (contd.) Proof of Claim 1 (contd.): Pr[X = i] is maximum at i = n Observe: Pr[X = n] 2n i=1 Pr[X = i] 2n 1 3n S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 13 / 18

Analysis of Q (contd.) Proof of Claim 2: Want to bound the probability that each of the n 1 entries in M is in a different row and column After k 1 entries have been added to M, Pr[new 1 entry is in different row and column] = (1 k ) 2 n 2 Multiplying all: Pr[no collision] (1 1 ) 2 ( n 2 1 n 1 ) 2 n 2 1 n Combining the above with Claim 1, Pr[M contains a permutation n n submatrix ] 1 3n 2 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 14 / 18

Analysis of Q (contd.) Proof of Claim 3: Want to bound the probability that M contains an n n cycle sub-matrix Observe: Pr[n n permutation matrix is a cycle matrix] = 1 n Combining the above with Claim 2, Pr[M contains a cycle n n submatrix ] 1 3n 3 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 15 / 18

Step II: Details Construction of (K 2, P 2, V 2 ) for L H : K 2 (1 n ): Output r {0, 1} L where L = 3 log n n 8 P 2 (r, x, w): Parse r = r 1,..., r n 4 s.t. for every i [n 4 ], r i = 3 log n n 4. For every i [n 4 ]: If Q(r i ) = (M i, ), set I i = [ r i ] (i.e., reveal the entire r i ), and π i = Else, let (M i, M i c) Q(r i ). Compute (I i, ϕ i) P 1 (M i c, x, w). Set I i = I i J i where J i is the set of indices s.t. r i restricted to J i yields the residual M i after removing M i c, and π i = ϕ i Output (I = {I i }, π = {π i }) S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 16 / 18

Step II: Details (contd.) Construction of (K 2, P 2, V 2 ) for L H : V 2 (I, r I, π): Parse I = I 1,..., I n 4, r I = s 1,..., s n 4, and π = π 1,..., π n 4. For every i [n 4 ]: If I i is the complete set, then check that Q(s i ) = (, ) Otherwise, parse I i = I i J i. Parse s i = s 1 i, s2 i and check that s 2 i is the all 0 string. Also, check that V 1 (I i, s1 i, π i) = 1 If all the checks succeed, then output 1 and 0 otherwise S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 17 / 18

Step II: Security Completeness: Follows from completeness of the construction in Step I Soundness: For random r = r 1,..., r n 4, Q(r i ) Good for at least one r i with high probability. Soundness then follows from the soundness of the construction in Step I Zero-Knowledge: For i s.t. Q(r i ) Good, V does not learn any information from the zero-knowledge property of the construction in Step I. For i s.t. Q(r i ) Bad, V does not see anything besides r i. S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback