CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties in cryptographic protocols convince each other of facts (e.g. this encrypted bank statement shows that I have a balance of at least $10,000) without revealing secret information (e.g. the decryption key)? 1.1 Classical Proofs Denition 1 An NP proof system for membership in a language L is an algorithm V such that 1. (Completeness) If x L, then there exists proof s.t. V (x, proof ) = accept. 2. (Soundness) If x / L, then for all proof, V (x, proof ) = reject. 3. (Eciency) V (x, proof ) runs in time poly( x ). NP proofs inherently provide more knowledge than x L. 1.2 Interactive Proofs Two new ingredients: interaction and randomization. Instead of having the proof be a static object, we have a dynamic prover who interacts with the verier. The verier V is probabilistic and is allowed to make a small error probability. Interactive (2-party) protocol: A pair of algorithms (A, B) taking input, history, and coin tosses to next message, e.g. m 1 = A(x; r A ), m 2 = B(x, m 1 ; r B ), m 3 = A(x, m 1, m 2 ; r A ),... Denition 2 An interactive proof for a language L is an interactive protocol (P, V ) such that 1. (Completeness) If x L, then V accepts in (P, V )(x, 1 n ) with probability at least 2/3. 2. (Soundness) If x / L, then for all P, V accepts in (P, V )(x, 1 n ) with probability at most 1/3. 3. (Eciency) The total computation time of V and total communication in (P, V )(x, 1 n ) is at most poly( x, n). Eciency of honest prover P 1
Complexity theory: allow P to be computationally unbounded, and study the power of interactive proofs (IP) as compared to classical proofs (NP). Cryptography: restrict to L NP, require P to be polynomial time given an NP proof w, and hope for additional properties not possible with NP proofs (namely, zero knowledge) Error probabilities can be made exponentially small in n by repetition as usual. 1.3 Quadratic Residuosity L = {(N, x) : x QR N }. How can we prove that x QR N without revealing a square root of x? Idea: cut and choose x QR N y y QR N xy QR N Prover `cuts' by choosing random y, verier `chooses' which of the two statements should be proven. Proof system for Quadratic Residuosity, on common input (N, x) and security parameter 1 n : 1. P : Let q be such that x = q 2 mod N. (This is the NP proof w.) 2. P : Choose r R Z N. Send y = r 2 mod N. 3. V : Choose and send b R {0, 1}. 4. P : If b = 0, let s = r. If b = 1, let s = qr mod N. Send s to V. 5. V : If b = 0, accept if s 2 y (mod N). If b = 1, accept if s 2 xy (mod N). Proposition 3 Above is an interactive proof for Quadratic Residuosity. Proof: 2
2 Zero-Knowledge Proofs Intuitively, verier learns nothing in QR protocol: all verier sees is s, a random string in Z n and either y = s 2 or y = s 2 /x. Simulation paradigm: verier learns nothing if it can generate everything it sees on its own, without interacting with prover. Denition 4 (P, V ) is zero knowledge if for every PPT V, there is a PPT S such that S(x, 1 n ) is computationally indistinguishable from View (P (w),v ) V (x, 1 n ) whenever x L and w is a valid NP proof for x L. Here View (P (w),v ) V (x, 1 n ) denotes V 's view of the interaction all of the messages exchanged and V 's coin tosses r V. Formally, for every PPT D, the probability that D wins in the following indistinguishability game is at most 1/2 + neg(n): Theorem 5 Above proof system for Quadratic Residuosity is (perfect) zero knowledge. Proof: We begin with a simulator for the honest verier strategy V. S(N, x, 1 n ): 1. Choose s R Z N. 2. Choose b R {0, 1}. 3. If b = 0, let y = s 2 mod N. If b = 1, let y = s 2 x 1 mod N. 4. Output (y, b, s; r V = b). How can we modify the simulator to handle a malicious verier strategy V? The proof system for Quadratic Residuosity is a special case of a Σ-protocol (see KL Ch. 14), where the challenge is 1-bit long. In KL it is shown that Σ-protocols are honest-verier zero knowledge (i.e. zero knowledge for veriers that follow the specied protocol). However, as above, they can shown to be zero knowledge even for malicious veriers when the challenge is short (namely, O(log n) bits). 3 Zero Knowledge for NP Theorem 6 Every language in NP has a zero-knowledge proof. can prove anything in zero knowledge, provided you have a short, eciently veriable witness, e.g. that c is an encryption of m with respect to pk. that the decryption of c i is the largest number among the decryptions of c 1,..., c n. that Fermat's Last Theorem has a proof of at most 200 pages. 3
An NP-complete problem: Graph 3-Coloring. An (undirected) graph G = (W, E) is 3-colorable if there is a function C : W {R, Y, B} such that for all (u, v) E, C(u) C(v). 3COL = {G : G is 3-colorable}. For every L NP, there is a poly-time f such that x L f(x) 3COL. Moreover, given any NP proof system for L, we can choose f such that valid NP proofs for x L can be mapped in poly-time to valid 3-colorings of f(x). Cut and Choose: G 3COL C ( (u,v) E C(u) C(v) ). If we randomly permute the 3 colors, each pair (C(u), C(v)) for u v reveals no information. Have prover `commit' to randomized coloring C, verier pick a random edge. Physical Zero-Knowledge Proof: See video. Denition 7 A commitment scheme over message space M = n M n consists of a PPT key generation algorithm Gen(1 n ) = k and a deterministic polynomial-time commitment algorithm Com k (m) (for m M n ) satisfying: (Hiding) Infeasible to learn anything about m from Com K (m) for K R {0, 1} n. Formalized analogously to indistinguishable encryptions. (Binding) There do not exist m m and k, k such that Com k (m) = Com k (m). Zero-Knowledge Proof for Graph 3-Coloring Common input: A graph G = (W, E) and a security parameter 1 n. Prover's input: A valid 3-coloring C : W {R, Y, B} (in case G 3COL) 1. P : Choose a permutation π : {R, Y, B} {R, Y, B} uniformly at random, and set C = π C. For every vertex w W, choose k w R {0, 1} n and send z w = Com kw (C (w)) to V. 2. V : Choose an edge (u, v) R E, and send (u, v) to P. 3. P : Check that (u, v) E, and if so send C (u), C (v), k u, k v to V. 4. V : Accept if C (u) C (v), z u = Com ku (C (u), k u ) and z v = Com kv (C (v)). Theorem 8 Above is a zero-knowledge proof for Graph 3-Coloring. Proof: Perfect completeness. Soundness error 1 1/ E. Reduce by repetition. 4
Simulator S V, on input G = (W, E) and security parameter 1 n : 1. Select (u, v) R E. 2. Dene a coloring C by setting (C (u), C (v)) to be two random distinct colors in {R, Y, B}, and setting C (w) = R for all other vertices w. 3. For every w W, choose k w R {0, 1} n, and set z w = Com kw (C (w)). 4. Select random coin tosses r V for V, and let (u, v ) = V (G, {z w } w W ; r V ). 5. If (u, v ) (u, v), output fail. Otherwise, output ({z w } w W, (u, v), (k u, k v, C (u), C (v)); r V ). Claim 9 For every PPT V and G 3COL, we have 1. S V (G, 1 n ) succeeds with probability at least 1/ E neg(n), and 2. The output distribution of S V (G, 1 n ), conditioned on success, is computationally indistinguishable from View (P (C),V ) V (G, 1 n ). Repeat n E times to eliminate failure. Corollary 10 Every language in NP has a zero-knowledge proof. 5