Transcript Zero-Knowledge Proof System

Zero-Knowledge
Proof System
Slides by Ouzy Hadad , Yair Gazelle & Gil Ben-Artzi
Adapted from Ely Porat course lecture notes.
Background and Motivation
The purpose
of a traditional proof is to convince
somebody, but typically the details of a proof give
the verifier more info about the assertion.
A proof is a zero-knowledge if the verifier does
not get from it anything that he can not compute
by himself.
Background and Motivation (cont.)
Whatever can be
efficiently obtained by
interacting with a prover, could also be computed
without interaction, just by assuming that the
assertion is true and conducting some efficient
computation.
Zero Knowledge (Definition)
 Let
(P,V) be an interactive proof system for some language L.
We say that (P,V), actually P, is zero-knowledge if for every
probabilistic polynomial-time verifier V*, there exists a
probabilistic polynomial-time machine M* s.t. for every xL
holds
{ P,V  ( x)}xL  {M  ( x)}xL
 Machine
P.
M* is called the simulator for the interaction of V* with
Perfect Zero Knowledge
(Definition)
Let (P,V) be an interactive proof system for some language L.
We say that (P,V), actually P, is perfect zero-knowledge (PZK)
if for every probabilistic polynomial time verifier V*, there exists
a probabilistic polynomial-time machine M* s.t. for every xL
the distributions {<P,V*>(x)}xL and {M*(x)}xL are identical, i.e.,
{ P,V  ( x)}xL  {M  ( x)}xL
Statistically close distributions
(Definition)
The distribution ensembles {Ax}xL and {Bx}xL are
statistically close or have negligible variation
distance if for every polynomial p(•) there exits
integer N such that for every xL with x  N
holds:
  ProbA
x
    Pr obBx   
1

p x 
Statistical zero-knowledge
(Definition)
Let (P,V) be an interactive proof system for some language
L. We say that (P,V), actually P, is statistical zero
knowledge (SZK) if for every probabilistic polynomial time
verifier V* there exists a probabilistic polynomial-time
machine M* s.t. the ensembles {<P,V*>(x)}xL and
{M*(x)}xL are statistically close.
Computationally
indistinguishable (Definition)
Two ensembles {Ax}xL and {Bx}xL are
computationally indistinguishable if for every
probabilistic polynomial time distinguisher D and
for every polynomial p(•) there exists an integer
N such that for every xL with |x|  N holds
1
| Pr obDx, Ax   1  Pr obD( x, Bx )  1 |
p(| x |)
Computational zero-knowledge
(Definition)
Let (P,V) be an interactive proof system for some
language L. (P,V), actually P, is computational zero
knowledge (CZK) if for every probabilistic polynomialtime verifier V* there exists a probabilistic polynomialtime machine M* s.t. the ensembles {<P,V*>(x)}xL and
{M*(x)}xL are computationally indistinguishable.
PZK by view
The pair
<P,V> is PZK by view if for every p.p.t
V*... (probability polynomial time machine) there
exist p.p.t M* such that for every xL we have:
{view(P,V*)(x)={M*(x)} where view(P,V*)(x) is the
view of V* after running <P,V*> on the input x, and
M*(x) is the output of M* on the input x.
IP is PZK iff PZK by view
Lemma: An interactive proof system is perfect
zero-knowledge iff it is perfect zero knowledge
by view.
Proof:
Let M* satisfy: {view<P,V*>(x)}xL  {M*(x)}xL
for every xL. M* has on its work-tape the
final view of V*. Hence, it is able to perform
the last step of V* and output the result. And
so the modified M*(x) is identical to <P,V*>(x).
Proof of lemma (cont.)
Let M* satisfy: {<P,V*>(x)}xL  {M*(x)}xL .
For a particular V*, let us consider a verifier
V** that behaves exactly like V*, but outputs
its whole view (at the end). There is a machine
M** s.t.
  P,V


 ( x)
xL

M


( x)
xL
Graph-Isomorphism
A pair
of two graphs, G1  (V1, E1 ), G2  (V2 , E2 ).
Where | V1 || V2 | .
Lets  be an isomorphism between the input
graphs, namely  is 1-1 and onto mapping of the
vertex set V1 to the vertex set V2 so that
(v, u)  E1 iff ( (v), (u))  E2
ZK proof for Graph Isomorphism
Prover’s first step(P1): Select random
permutation  over V1, construct the set
F :  (u), (v): (u, v) E1 , and send
H  (V1 , F) to the verifier.
Verifier’s first step (V1 ) : V gets H from P.
V select   1,2 and send it to P.
P is supposed to answer with an isomorphism
between G 0 and H .
ZK proof for Graph
Isomorphism(cont.)
(P2): If =1, then send  =  to V.
Otherwise send  =   -1 to V.
(V2): If  is an isomorphism between G
and H then V output 1, otherwise it
outputs 0.
Construction (diagram)
Prover
Verifier
=Random Permotation
H  G1
H
If =1, send  = 
R{1,2}

otherwise  =   -1
Accept iff

H = (G)
An example:
Common input: two graphs G1 and G2.
3
2
4
4
G1

G2
5
5
1
2
1
Only P knows .
3
An
example
(cont.)
V sends
 =  


3
2
G1
2
5
4
5
1
H
1
3
Only P knows .
=2 to P.
4
G2
5
1
2
4
P sends H to V.
-1
3
V gets 
and accepts.
Theorem: Graph isomorphism
is in Zero-Knowledge
Theorem 1:
The construction above is a
perfect zero-knowledge
interactive proof system
(with respect to statistical
closeness).
Proof
of
Theorem
1
Completeness:
If G1  G2 , V always accepts.
First, G’=(G1).
If =1 then  =  , Hence:
(G) =  (G1) = (G1) = G’ .
If =2 then  =   -1, Hence:
(G) =   -1(G2) =  (G1) = G’ .
And hence V always accepts when G1  G2 .
Proof of Theorem 1 (cont.)
Soundness:
Let P* be any prover.
If it sends to V a graph not isomorphic neither to G1 nor
to G2, then there is no isomorphism between G and
G’. If G’  G1 then P* can convince V with probability at
most 1/2 (V selects {1,2} uniformly).
Hence: when G1 and G2 are non-isomorphic:


Pr  P , V (G1 , G 2  )  accept  1
2
If we will run this several times we will get the desire
probability.
Zero Knowledge
(Construction of a simulator)
Let
V* be any polynomial-time verifier, and let q(•)
be a polynomial bounding the running time of V*.
M*
q x 
selects a string r  R {0,1}
= r 01100…………011
M*
Construction of a Simulator
(cont.)
selects R{1,2}.
 2
M* selects a random permutation over V.
   1 2 3 4 5 
3 1

M*
4 5
constructs G’’= (G).
2 

4
2
5
1
G’’ 3
5
1
2
4
3
G2
Construction of a Simulator
(cont.)
*
*
M
runs V with the latter’s strings set as follows:
Input
Tape
Random
Tape
x
r
G’’
Denote

 as V*‘s output.
Message
Tape
 2
M* halts with output (x,r,G’’,).
Proof of Theorem 1 (cont.)
Definition:
Let (P,V) be an interactive proof system for L.
(P,V) is perfect zero-knowledge by view if
for every probabilistic polynomial-time
verifier V* there exists a probabilistic
polynomial time machine M* s.t. for every
xL holds:
{view<P,V*>(x)}xL  {M*(x)}xL
where view<P,V*>(x) is the final view of V* after
running <P,V*> on input x.
view = all
the data
a machine
possesses
Proof of Theorem 1 (cont.)
Lemma: Let x  (G1, G2 )  ISO Then for every string r,
graph H and permutation , it holds that:
Pr [view<P,V*>(x) = (x,r,H,)] =
Pr [M*(x) = (x,r,H,) | M*(x)  ]
Proof:
Let m* describe M* conditioned on its not being .
Define the 2 random variables:
1.v(x,r) - the last 2 elements of view(P,V*)(x)
conditioned on the second element equals r.
2. (x,r) - the same with m*(x).
Proof of lemma (cont.)
Let V* (x,r,H) denote the message sent by V*
for a fixed r and an incoming message H.
We will show that v(x,r) and (x,r) are
uniformly distributed over the set:
C x ,r :
H ,   : H  (G
V  ( x ,r , H )

) .
While running the simulator we have H=(G),
and only the pairs satisfying =v*(x,r,H) lead to
an output. Hence:
1

if
H


(
G
)

V ( x ,r , H ) 
 | V1 |!
P r( ( x, r )  ( H ,  ))  

0 otherwise



Proof of lemma (cont.)
Consider v(x,r):


(

(G
),

)
if
V
(x,r, (G1 ))  1
1


V(x, r)  
1
otherwise
(

(G
),



)

2

For each H (which is isomorphic to G1):



1 V  (x, r, H) 
1
if     
|
V
|!


1
Pr( (x,r)  ( H , ))  

otherwise 0



Observing that H   (GV ( x,r , H ) ) iff     
and hence the lemma follows.

1 V ( x , r , H )
Proof of Theorem 1 (cont.)
Corollary: view<P,V*>(x) and M*(x) are
statistically close.
Proof:
A failure is output with probability 1 2
If the simulator returns steps P1-P2 of the
construction |x| times and at least once at step
P2 =, then output (x,r,G’’,). If in all |x|
trials  , then output rubbish.
Hence, we got a statistical difference of 2 | x|
and so the corollary follows.
Zero-Knowledge for NP
NP Problem: A language L belongs to NP if
and only if there exist a two-input
polynomial-time algorithm A and constant C
such that:

L   x 0,1 : there exist a certificate y with
y  O(| x |c ) such that A( x, y)  1
We say that algorithm A verifies language L
in polynomial time.
IP for NP
Lets L language
belong to NP, and x L ,
P should prove V that he know the solution for x.
(P1): P guess the solution y for the problem x.
(V1) V verify in polynomial time that A(x,y)=1.
We
will give ZK interactive proof system for NP
complete problem (G3C), which implies that for
every NP problem, we have ZK proof.
G3C
Common Input: A graph
P can paint the graph in
1
3 colors.
2
3
P must
secret.
keep the coloring a
4
5
G3C is in Zero-Knowledge
Construction (ZK IP for G3C):
P chooses a
random color
permutation.
He
puts all the nodes inside
envelopes.
And
sends them to the verifier.
1
2
1
2
3
3
5
4
5
4
G3C is in ZK (cont.)
Verifier receives a
3-colored
graph, but colors are hidden.
He
chooses an edge at random.
And
asks the prover to open the
2 envelopes.
11
22
33
44
55
G3C is in ZK (cont.)
Prover opens
the envelopes,
revealing the colors.
Verifier accepts if
the colors are
11
22
33
4
different.
5
Formally,
G =
(V,E) is 3-colorable if there exists a mapping
 : V {1,2,3} so that  (u)   (v)
for every (u, v)  E .
Let  be a 3-coloring of G, and let  be a
permutation over {1,2,3} chosen randomly.
Define  (v)   ( (v)) a random 3-coloring.
Put each (v) in a box with v marked on it.
Send all the boxes to the verifier.
Formally, (cont.)
Verifier selects an
edge at random
e  (u, v) R E asking to inspect the colors.
Prover sends the keys to boxes u and v.
Verifier uses the keys to open the boxes.
If he finds 2 different colors from {1,2,3} - Accept.
Otherwise - Reject.
G3C (diagram)
1
(1)
2
(2)
P
P
P
n
(n)
V
e  (u, v) R E
Keyu , keyv
V
V
The construction is in ZK:
 Completeness:
If G is 3-colorable and both P and V follow the rules, V
will accept.
 Soundness:
Suppose G is not 3-colorable and P* tries to cheat. Then
at least one edge (u,v) will be colored badly:  (u) = 
(v).
V will pick a bad edge with probability 1| E | which can
be increased to 2 3 by repeating the protocol
sufficiently many times.
Zero Knowledge
(Construction of a simulator)
Let
V* be any polynomial-time verifier, and let q(•)
be a polynomial bounding the running time of V*.
M*
selects a string r R 0,1
q (| x|)
r  11010 .......110
Construction of a Simulator (cont.)
selects e’=(u’,v’) R E.
M* sends to V* boxes filled with garbage, except
for the boxes of u’ and v’, colored as follows:
M*
C R {1,2,3}


c
d
u’
v’
d R {1,2,3}\{c}
If V* picks (u’,v’), M* sends V* their keys
and the simulation is completed.
Otherwise, the simulation fails.
Analysis of the Simulation
For every GG3C, the distribution of
m*(<G>) = M*(<G>) | (M*(<G>)  ) is
identical to <P,V*>(<G>).
Since V* can’t tell e’ from other edges by
looking at the boxes, he picks e’ with
probability 1/|E|, which can be increased
to a constant by repeating M* sufficiently
many times.
So if the boxes are perfectly sealed,
G3CPZK.

ZK for Finding square modulo n
Input: x2 modulo
n.
output: x modulo n.
The prover need to prove that he know the
output.
ZK for Finding square modulo n
(cont.)
(P1): P find two large prime number p,q,
where n=p·q. He also choose randomly
r [n, n4].
P send n, x2 mod n and r2 mod n to V.
(V1): V has two possibilities
(a) Ask r. check the value of r2 mod n.
(b) Ask for x ·r. check the value of x2 r2 mod n
Analysis of the Protocol - square
modulo n
Soundness: If P does not know x, then in
probability of 50% V will catch him, if we
will run this several times we will get the V
will reject in probability larger then 2/3.
Completeness: If P know x, V always accept.
Analysis of the Protocol - square
modulo n (cont.)
This protocol is computational ZK.
The Protocol give
the value x2 mod n but the
verifier can't calculate x from it .
If the verifier ask option 1 from the prover, he get
no additional info.
If the verifier ask option 2 from the prover, he get
xr which is random.
CO-NP  ZK





In order to prove the above it’s enough to show that
CO-NP complete problem is in IP
We will show that CO-SAT belongs to IP.
Than we can show that CO-SAT belongs to ZK.
Reminder: CO-SAT means that there are no truth
assignment for an equation.
We can treat it as a specific case of proving that for an
equation there are exactly K truth assignments (In this
case , K=0)
CO-SAT  IP

Lemma
1. (x1,x2,x3,…,Xn) has exactly Kn truth assignments  
k0,k1 : Kn=k0+k1
2. (0,x2,x3,…Xn) = 0(x2,x3,…Xn) has exactly k0 truth
assignments
3. (1,x2,x3,…Xn) = 1(x2,x3,…Xn) has exactly k1 truth
assignments

Informal explanation


By setting a variable in the original equations we create a
new equation with a special relation to the original one.
Each new equation must have a specific number of
assignments which can be pre-calculate.
CO-SAT  IP






We can now construct a solution based upon the
previous lemma
Prover will send verifier k0,k1 for (n)
Verifier will check that for (n-1) , condition 1 of lemma
is true ( Kn=k0+k1)
Verifier will create randomly a new equation (n+1), by
assigning 1 or 0 to the first variable of n
If we assign 1 , the number of solutions should be K0 ,
otherwise k0
Verifier will send to prover the new equation
CO-SAT  IP
Now prover will send the new k0n,k1n for the
new (n+1)
 Verifier remember previous k1 and can check if
k1=k0n+k1n , so the prover cannot cheat him
 Each stage we reduced one variable from
equation by assign a value to it
 Now let’s prove completeness & soundness

CO-SAT  IP

Completeness


If prover does not cheat , each new equation will have the
appropriate relation to the previous one and verifier will be
convinced
Soundness


If prover cheat i.e. send k0 as a false one, the new equation
should be based upon assignment of 0 to first element in
order to see it (remember that we check only one of k0/k1 –
it’s deepened on the assignment). We have a probability of ½
to do this , and we should always peek the right assignment
down the road. Total probability (in the worst case) is (½)^n
Huston, we have a problem ! ( no soundness )
CO-SAT  IP, Solution 2
We will expand the range variables of  to a field
(F) such that |F| > (2)^n
 Each variable can get now not just 0 or 1 but a
value from the field
 We will construct a new equation `:

F0 , T positive integer
^*,+
 (p)`p , (~p)` 1-p`
 (p^q)`p`q` , (pq)` ~(~(~p ^ ~q))’

CO-SAT IP, Solution 2


We got now ` that is a polynomial of
(x1,…,Xn) over field F.
Prover should now prove that
 .....  `(x1,...Xn)  K
x10,1 x 20,1

xn0,1
Note that
1. Number of root for [p1(0)+p1(1)]= p0().
2. Polynomials have the same number of roots for 
 [p1()-p2()] = 0
CO-SAT  IP, Solution 2




Prover will send the polynom [P1], and the number of
roots (K) for this polynom
Verifier will check that K=p1(0)+p1(1), choose a random
value F and send it to prover
Prover will now construct a new polynom P2 = P1(),
calculate the number of roots for the new one and send
it to verfier
This process continue until all variable has been assign
(2n iterations)
CO-SAT  IP, Solution 2
Completeness is clear.
 Soundness



In order to lie , the prover should send the verifier a
false polynom. This polynom should have the same
roots as the correct one. Since we have a field of
elements ,The probability for this is n/|F|. The
probability not found this is (1-n/|F|) > 2/3
We proved that CO-NP is in IP
CO-NP  ZK
It’s enough to
show that CO-SAT is in ZK
The problem in the previous solution is that the
verifier can see each stage the solution of the
previous.
He can use it to get some other information from
prover
CO-SAT  ZK
The prover
can now send the polynom in an
envelops , just like in G3C
The verifier should now check that the prover has
not mislead him
We have got now a new problem : How can we
open the envelops without gaining any
information from the prover
CO-SAT  ZK
The problem
of opening an envelops is in NP ,
since the oracle can guess the keys and we can
verify in a polynomial time that indeed we have
the appropriate keys
Since NP  ZK , we can now make a reduction
and solve the above problem
CO-SAT  ZK  CO-NP  ZK !