Lecture Notes 20: Zero-Knowledge Proofs

Similar documents
Zero-Knowledge Proofs 1

Lecture 15 - Zero Knowledge Proofs

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 18: Zero-Knowledge Proofs

Notes on Zero Knowledge

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

From Secure MPC to Efficient Zero-Knowledge

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

1 Recap: Interactive Proofs

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Notes for Lecture 27

CS151 Complexity Theory. Lecture 13 May 15, 2017

Great Theoretical Ideas in Computer Science

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Notes for Lecture 25

Notes on Complexity Theory Last updated: November, Lecture 10

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 17: Constructions of Public-Key Encryption

Lecture 10: Zero-Knowledge Proofs

Lecture 11: Key Agreement

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 15: Interactive Proofs

CSCI 1590 Intro to Computational Complexity

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Concurrent Non-malleable Commitments from any One-way Function

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Multiparty Computation

In this chapter we discuss zero-knowledge proof systems. Loosely speaking, such proof

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

Lecture 7: CPA Security, MACs, OWFs

How many rounds can Random Selection handle?

Interactive protocols & zero-knowledge

Winter 2011 Josh Benaloh Brian LaMacchia

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Zero Knowledge and Soundness are Symmetric

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Cryptographic Protocols Notes 2

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Contents 1 Introduction The Basics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : A

Introduction to Modern Cryptography Lecture 11

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

Smooth Projective Hash Function and Its Applications

Zero-Knowledge Proofs and Protocols

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Non-Interactive Zero Knowledge (II)

Cryptographic Protocols FS2011 1

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Lecture 28: Public-key Cryptography. Public-key Cryptography

Zero-Knowledge Against Quantum Attacks

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 26: Arthur-Merlin Games

Theory of Computation Chapter 12: Cryptography

CPSC 467: Cryptography and Computer Security

1 Number Theory Basics

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lectures 2+3: Provable Security

2 Message authentication codes (MACs)

1 Agenda. 2 History. 3 Probabilistically Checkable Proofs (PCPs). Lecture Notes Definitions. PCPs. Approximation Algorithms.

2 Natural Proofs: a barrier for proving circuit lower bounds

Advanced Topics in Cryptography

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Statistical WI (and more) in Two Messages

Inaccessible Entropy

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

Topics in Complexity

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

CMSC 858K Advanced Topics in Cryptography March 4, 2004

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Interactive protocols & zero-knowledge

Probabilistically Checkable Arguments

Does Parallel Repetition Lower the Error in Computationally Sound Protocols?

Commitment Schemes and Zero-Knowledge Protocols (2011)

1 Secure two-party computation

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Round-Efficient Multi-party Computation with a Dishonest Majority

Statistically Secure Sigma Protocols with Abort

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Introduction to Modern Cryptography. Benny Chor

A Note on Negligible Functions

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Introduction to Interactive Proofs & The Sumcheck Protocol

III. Authentication - identification protocols

Transcription:

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties in cryptographic protocols convince each other of facts (e.g. this encrypted bank statement shows that I have a balance of at least $10,000) without revealing secret information (e.g. the decryption key)? 1.1 Classical Proofs Denition 1 An NP proof system for membership in a language L is an algorithm V such that 1. (Completeness) If x L, then there exists proof s.t. V (x, proof ) = accept. 2. (Soundness) If x / L, then for all proof, V (x, proof ) = reject. 3. (Eciency) V (x, proof ) runs in time poly( x ). NP proofs inherently provide more knowledge than x L. 1.2 Interactive Proofs Two new ingredients: interaction and randomization. Instead of having the proof be a static object, we have a dynamic prover who interacts with the verier. The verier V is probabilistic and is allowed to make a small error probability. Interactive (2-party) protocol: A pair of algorithms (A, B) taking input, history, and coin tosses to next message, e.g. m 1 = A(x; r A ), m 2 = B(x, m 1 ; r B ), m 3 = A(x, m 1, m 2 ; r A ),... Denition 2 An interactive proof for a language L is an interactive protocol (P, V ) such that 1. (Completeness) If x L, then V accepts in (P, V )(x, 1 n ) with probability at least 2/3. 2. (Soundness) If x / L, then for all P, V accepts in (P, V )(x, 1 n ) with probability at most 1/3. 3. (Eciency) The total computation time of V and total communication in (P, V )(x, 1 n ) is at most poly( x, n). Eciency of honest prover P 1

Complexity theory: allow P to be computationally unbounded, and study the power of interactive proofs (IP) as compared to classical proofs (NP). Cryptography: restrict to L NP, require P to be polynomial time given an NP proof w, and hope for additional properties not possible with NP proofs (namely, zero knowledge) Error probabilities can be made exponentially small in n by repetition as usual. 1.3 Quadratic Residuosity L = {(N, x) : x QR N }. How can we prove that x QR N without revealing a square root of x? Idea: cut and choose x QR N y y QR N xy QR N Prover `cuts' by choosing random y, verier `chooses' which of the two statements should be proven. Proof system for Quadratic Residuosity, on common input (N, x) and security parameter 1 n : 1. P : Let q be such that x = q 2 mod N. (This is the NP proof w.) 2. P : Choose r R Z N. Send y = r 2 mod N. 3. V : Choose and send b R {0, 1}. 4. P : If b = 0, let s = r. If b = 1, let s = qr mod N. Send s to V. 5. V : If b = 0, accept if s 2 y (mod N). If b = 1, accept if s 2 xy (mod N). Proposition 3 Above is an interactive proof for Quadratic Residuosity. Proof: 2

2 Zero-Knowledge Proofs Intuitively, verier learns nothing in QR protocol: all verier sees is s, a random string in Z n and either y = s 2 or y = s 2 /x. Simulation paradigm: verier learns nothing if it can generate everything it sees on its own, without interacting with prover. Denition 4 (P, V ) is zero knowledge if for every PPT V, there is a PPT S such that S(x, 1 n ) is computationally indistinguishable from View (P (w),v ) V (x, 1 n ) whenever x L and w is a valid NP proof for x L. Here View (P (w),v ) V (x, 1 n ) denotes V 's view of the interaction all of the messages exchanged and V 's coin tosses r V. Formally, for every PPT D, the probability that D wins in the following indistinguishability game is at most 1/2 + neg(n): Theorem 5 Above proof system for Quadratic Residuosity is (perfect) zero knowledge. Proof: We begin with a simulator for the honest verier strategy V. S(N, x, 1 n ): 1. Choose s R Z N. 2. Choose b R {0, 1}. 3. If b = 0, let y = s 2 mod N. If b = 1, let y = s 2 x 1 mod N. 4. Output (y, b, s; r V = b). How can we modify the simulator to handle a malicious verier strategy V? The proof system for Quadratic Residuosity is a special case of a Σ-protocol (see KL Ch. 14), where the challenge is 1-bit long. In KL it is shown that Σ-protocols are honest-verier zero knowledge (i.e. zero knowledge for veriers that follow the specied protocol). However, as above, they can shown to be zero knowledge even for malicious veriers when the challenge is short (namely, O(log n) bits). 3 Zero Knowledge for NP Theorem 6 Every language in NP has a zero-knowledge proof. can prove anything in zero knowledge, provided you have a short, eciently veriable witness, e.g. that c is an encryption of m with respect to pk. that the decryption of c i is the largest number among the decryptions of c 1,..., c n. that Fermat's Last Theorem has a proof of at most 200 pages. 3

An NP-complete problem: Graph 3-Coloring. An (undirected) graph G = (W, E) is 3-colorable if there is a function C : W {R, Y, B} such that for all (u, v) E, C(u) C(v). 3COL = {G : G is 3-colorable}. For every L NP, there is a poly-time f such that x L f(x) 3COL. Moreover, given any NP proof system for L, we can choose f such that valid NP proofs for x L can be mapped in poly-time to valid 3-colorings of f(x). Cut and Choose: G 3COL C ( (u,v) E C(u) C(v) ). If we randomly permute the 3 colors, each pair (C(u), C(v)) for u v reveals no information. Have prover `commit' to randomized coloring C, verier pick a random edge. Physical Zero-Knowledge Proof: See video. Denition 7 A commitment scheme over message space M = n M n consists of a PPT key generation algorithm Gen(1 n ) = k and a deterministic polynomial-time commitment algorithm Com k (m) (for m M n ) satisfying: (Hiding) Infeasible to learn anything about m from Com K (m) for K R {0, 1} n. Formalized analogously to indistinguishable encryptions. (Binding) There do not exist m m and k, k such that Com k (m) = Com k (m). Zero-Knowledge Proof for Graph 3-Coloring Common input: A graph G = (W, E) and a security parameter 1 n. Prover's input: A valid 3-coloring C : W {R, Y, B} (in case G 3COL) 1. P : Choose a permutation π : {R, Y, B} {R, Y, B} uniformly at random, and set C = π C. For every vertex w W, choose k w R {0, 1} n and send z w = Com kw (C (w)) to V. 2. V : Choose an edge (u, v) R E, and send (u, v) to P. 3. P : Check that (u, v) E, and if so send C (u), C (v), k u, k v to V. 4. V : Accept if C (u) C (v), z u = Com ku (C (u), k u ) and z v = Com kv (C (v)). Theorem 8 Above is a zero-knowledge proof for Graph 3-Coloring. Proof: Perfect completeness. Soundness error 1 1/ E. Reduce by repetition. 4

Simulator S V, on input G = (W, E) and security parameter 1 n : 1. Select (u, v) R E. 2. Dene a coloring C by setting (C (u), C (v)) to be two random distinct colors in {R, Y, B}, and setting C (w) = R for all other vertices w. 3. For every w W, choose k w R {0, 1} n, and set z w = Com kw (C (w)). 4. Select random coin tosses r V for V, and let (u, v ) = V (G, {z w } w W ; r V ). 5. If (u, v ) (u, v), output fail. Otherwise, output ({z w } w W, (u, v), (k u, k v, C (u), C (v)); r V ). Claim 9 For every PPT V and G 3COL, we have 1. S V (G, 1 n ) succeeds with probability at least 1/ E neg(n), and 2. The output distribution of S V (G, 1 n ), conditioned on success, is computationally indistinguishable from View (P (C),V ) V (G, 1 n ). Repeat n E times to eliminate failure. Corollary 10 Every language in NP has a zero-knowledge proof. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback