10A-interactive-proofs.pptx
Download
Report
Transcript 10A-interactive-proofs.pptx
Interactive Proofs
(variation of)
Slides by
Ariel Procaccia
Graph isomorphism
π respects both edges and
non-edges across πΊand πΊ β²
Two graphs πΊ = (π, πΈ) and πΊ β² = π β² , πΈ β² are isomorphic
(πΊ~πΊ β² ) if there exists a bijection π: π β π β² such that:
π’, π£ β πΈ βΊ π π’ , π π£ β πΈ β²
Question. Are these two graphs isomorphic?
1
7
2
3
4
5
6
8
1
2
3
4
5
6
7
8
Answer. Yes, via the bijection shown by the colors.
Graph isomorphism
GRAPH ISOMORPHISM: Given two graphs
πΊ = (π, πΈ) and πΊ β² = π β² , πΈ β² check that
they are isomorphic.
Question. Is this problem in P? In NP?
Answer. Not known to be in P. But in NP:
ο± certificate: Any bijection from π to π β² .
ο± verifier: The algorithm which checks
that the given bijection respects every
edge and non-edge across πΊ and πΊ β² .
Question. Is it NP-complete?
Answer. Nobody knows.
Graph non-isomorphism
So, it is easy to convince someone that two
graphs are isomorphic. But what about the
opposite? Is it also easy to convince that
two graphs are not isomorphic?
In other (formal) words:
GRAPH NON-ISOMORPHISM: Given graphs
πΊ0 , πΊ1 check that they are not isomorphic.
Question. Is this problem also in NP?
Answer. Nobody knows.
Graph non-isomorphism
GRAPH NON-ISOMORPHISM: Given graphs
πΊ0 , πΊ1 check that they are not isomorphic.
So, if I happen to know that two graphs are
not isomorphic, then there is no known
efficient non-interactive
way to
convince you that this is indeed the case.
But we do know of an interactive one!
(Remark. πΊ0 ~πΊ1 & πΊ1 ~πΊ βΉ πΊ0 ~πΊ.)
Our protagonists
Arthur = Verifier
weak; does not know; to be convinced
Merlin = Prover
strong; knows; can convince
IP for GRAPH NON-ISOMORPHISM
Verifier chooses π β {0,1} and
permutation π at random, and
sends π(πΊπ ) to Prover .
Prover sends a bit πβ².
If π = πβ² verifier accepts,
otherwise verifier rejects.
IP for GRAPH NON-ISOMORPHISM
1
πΊ0 :
3
2
4
π(πΊ0 ):
0
1
2
3
4
If the graphs are
non-isomorphic:
πΊ0 :
πΊ1 :
always correct
Accept!
IP for GRAPH NON-ISOMORPHISM
1
πΊ0 :
3
2
4
π(πΊ0 ):
1
2
3
4
0/1
correct w.p. 1/2
Accept/Reject!
Prover lucky.
Verifier fooled.
Verifier lucky.
Prover caught.
If the graphs are
isomorphic:
πΊ0 :
πΊ1 :
IP for GRAPH NON-ISOMORPHISM
1. Verifier chooses π β {0,1} and permutation π at random;
sends π(πΊπ ) to Prover .
2. Prover sends a bit πβ².
3. If π = πβ² then Verifier accepts, otherwise it rejects.
Vote. With what probability does the Prover
make the Verifier accept, if πΊ0 , πΊ1 are respectively
(i) non-isomorphic and (ii) isomorphic?
ο±
ο±
ο±
ο±
1 and 1/π!
1 and 1/2
1/2 and 1/π!
1/2 and 1/2
Interactive proofs
Definition. An interactive proof system for a problem πΏ is
a protocol between a computationally unbounded Prover π
and a probabilistic polynomial-time Verifier π which meets
the following two specifications:
ο± Completeness: For every YES-instance π₯:
Pr π β π π₯ = accept = 1
ο± Soundness: For every NO-instance π₯ and any πβ²:
Pr π β πβ² π₯ = accept β€ 1/2
Being fooled with probability
½ is still pretty bad!
What can we do about it?
includes potentially
dishonest Provers.
Theorem. GRAPH NON-ISOMORPHISM has an i.p. system.
IP
Definition. We call ππ the class of all problems which have
an interactive proof system.
Corollary. GRAPH NON-ISOMORPHISM β ππ.
Vote. What is the known relation between ππ and ππ?
ο±
ππ β ππ
ο±
ππ β ππ
ο±
ππ = ππ
ο±
They are incomparable.
Corollary. GRAPH ISOMORPHISM β ππ, as well.
Zero-knowledge proofs
In the i.p. for GRAPH ISOMORPHISM, the Prover obviously
reveals the bijection to the Verifier. Can that be avoided?
Namely:
Question. Is there an interactive protocol by which the
Prover can convince the Verifier that a bijection exists
without revealing such a bijection to him?
Such a protocol is called a zero-knowledge proof.
Why do we need ZKPs?
Merlin, prove that you are who
you say you are!
Accept!
* Just for fun
ZKP for GRAPH ISOMORPHISM
Prover chooses π β {0,1} and permutation π at
random, and sends π» = π(πΊπ ) to Verifier.
Verifier sends a random bit πβ² to Prover.
Prover picks a permutation πβ² and sends it
to Verifier.
Verifier accepts iff π» = π β² πΊπβ² .
ZKP for GRAPH ISOMORPHISM
1. Prover chooses π β {0,1} and permutation π at random,
and sends π» = π(πΊπ ) to Verifier.
2. Verifier sends a random bit πβ² to Prover.
3. Prover picks a permutation πβ² and sends it to Verifier.
4. Verifier accepts iff π» = π β² πΊπβ² .
Claim 1. This is an indeed an interactive proof protocol:
ο± It is complete (why?)
ο± It is sound (why?)
Claim 2. The verifier learns nothing about the solution!
* Just for fun
Zero-knowledge proofs
Definition (informal).
An interactive proof system is zero-knowledge if:
for any probabilistic polynomial-time Verifier πβ²
there is a probabilistic polynomial-time Simulator ππ β²
which, given any YES-instance π₯, produces the same
distribution of interaction transcripts as the one produces
when πβ² talks to the honest Prover π!
By talking to the honest Prover π
about π₯, a dishonest Verifier πβ² can
only see information that it can
produce by talking to itself anyway!
ZKP for OPEN SESAME
Peggy knows the magic words that open a door in a cave.
How to prove so to Victor, without revealing the words?
1. Peggy chooses passage π β {π΄, π΅} and enters via π.
2. Victor picks a random passage πβ² β π΄, π΅ and shouts it to
Peggy.
3. Peggy exits via πβ². Victor accepts if she indeed does so.
Claim 1. This is an indeed an interactive proof protocol:
ο± It is complete (why?)
ο± It is sound (why?)
* Just for fun
Claim 2. Victor learns nothing about the magic word!
Comparison
Prover chooses π β {0,1} and permutation π at
random, and sends π» = π(πΊπ ) to Verifier.
Verifier sends a random bit πβ² to Prover.
Prover picks a permutation πβ² and sends it
to Verifier.
Verifier accepts iff π» = π β² πΊπβ² .
*Not in the exam
ZKP for 3-COLORING*
Let us design a zero-knowledge proof
system for 3-COLORING.
We will assume the cryptographic
construction of bit commitment:
ο± Prover can put bits in envelopes
and send them to Verifier.
ο± Verifier can open an envelope
only if the Prover tells him how.
* Just for fun
*Not in the exam
ZKP for 3-COLORING*
Prover selects random permutation π of π
, πΊ, π΅ ,
commits to all π πΎ π£ for π£ β π and sends them
to Verifier.
Verifier selects random π’, π£ β πΈ and sends
it to Prover.
Prover reveals π = π πΎ π’
and π = π(πΎ π£ ).
Verifier accepts iff π β π
*Not in the exam
ZKP for 3-COLORING*
If the graph is
3-colorable:
π
π
π
π
π
π
π
π
Accept!
* Just for fun
πΎ(πΊ)
π
*Not in the exam
ZKP for 3-COLORING*
If the graph is
not 3-colorable:
π
π
π
π
π
/
/
π
π
π
error caught
w.p. β₯ 1/|πΈ|
π
π
Accept/Reject!
* Just Prover
for lucky.
fun
Verifier fooled.
Verifier lucky.
Prover caught.
π
π
πΎ(πΊ)
π
*Not in the exam
ZKP for 3-COLORING*
1. Prover selects random permutation π of π
, πΊ, π΅ ,
commits to all π πΎ π£ for π£ β π and sends them to Verifier.
2. Verifier selects and sends random π’, π£ β πΈ.
3. Prover reveals π = π πΎ π’ and π = π(πΎ π£ ).
4. Verifier accepts iff π β π.
Vote. If πΊ is not 3-colorable, what is the worst-case
probability that the Prover will convince the Verifier?
ο± 1
ο± 1
ο± 1
ο± 1
1
β
2
1
β
π!
1
β
3!
1
β
|πΈ|
*Not in the exam
ZKP for 3-COLORING*
1. Prover selects random permutation π of π
, πΊ, π΅ ,
commits to all π πΎ π£ for π£ β π and sends them to Verifier.
2. Verifier selects and sends random π’, π£ β πΈ.
3. Prover reveals π = π πΎ π’ and π = π(πΎ π£ ).
4. Verifier accepts iff π β π.
To get soundness, we must repeat the protocol.
Why zero-knowledge: Prover just reveals a pair of distinct
random colors!
* Just for fun
What you need to know
Definitions
ο± Interactive proof system
ο± The class IP
ο± Zero-Knowledge proofs
Algorithms
ο± Interactive proof system for
GRAPH NON-ISOMORPHISM
ο± Zero-Knowledge proof for
GRAPH ISOMORPHISM