View
217
Download
0
Embed Size (px)
Citation preview
1
Slides by Slides by Roel ApfelbaumRoel Apfelbaum & & Eti Ezra.Eti Ezra.
Enhanced by Enhanced by Amit KaganAmit Kagan..
Adapted from Adapted from Oded Goldreich’sOded Goldreich’s course lecture course lecture notes.notes.
2
NotationNotationLet A and B be a pair of ITMs (interactive TMs). <A,B>(x) is the random variable representing the (local) output of B when interacting with machine A on common input x, when the random-input to each machine is uniformly and independently chosen.
17.1
3
Zero Knowledge Zero Knowledge (Definition)(Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds
{<P,V*>(x)}xL {M*(x)}xL
Machine M* is called the simulator for the interaction of V* with P.
4
Perfect Zero Perfect Zero Knowledge (Definition)Knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xL and
{M*(x)}xL are identical, i.e.,
{<P,V*>(x)}xL {M*(x)}xL
5
Example Example A trivial simulator for <P,V>A trivial simulator for <P,V> Let V be a verifier that satisfies the
definition of IP - when xL, V accepts with probability close to 1, and when xL, V accepts with probability close to 0.
Let M be the simulator that always accepts.
When xL the distributions <P,V>(x) and M(x) are very close.
6
Statistically close Statistically close distributions (Definition)distributions (Definition)
The distribution ensembles {Ax}xL and {Bx}xL
arestatistically close or have negligible variationdistance if for every polynomial p(•) there
exitsinteger N such that for every xL with |x| Nholds:
|Pr [Ax = ] – Pr [Bx = ]| 1/p(|x|).
7
Statistical zero-knowledge Statistical zero-knowledge (Definition)(Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL
are statistically close.
8
Computationally Computationally indistinguishable (Definition)indistinguishable (Definition)
Two ensembles {Ax}xL and {Bx}xL are
computationally indistinguishable if for everyprobabilistic polynomial time distinguisher D
andfor every polynomial p(•) there exists an
integerN such that for every xL with |x| N holds
|Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]| 1/p(|x|)
9
Computational zero-Computational zero-knowledge (Definition)knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL
are computationally indistinguishable.
10
Lemma: BPP Lemma: BPP PZK PZKProof:Since LBPP, V can be set to a probabilisticpolynomial time machine that decides L. P is deterministic and never sends data to V.
Clearly <P,V> is an interactive proof system(completeness and soundness conditions
hold).(P,V) is PZK because for every V*:
{<P,V*>(x)}xL {V*(x)}xL
V* is a simulator for itself!
11
Graph isomorphism is in Graph isomorphism is in Zero-KnowledgeZero-Knowledge
ISO := {(<G1>,<G2>) | G1 G2}
Construction (ZK IP for ISO): Common input:
G1 = (V1, E1), G2 = (V2, E2).
Let be an isomorphism between G1 and
G2. Suppose that |V1| = |V2| = n.
17.2
12
Construction (cont.)Construction (cont.)
(P1): P selects a random permutation over V1, constructs the set F where
F := { ((u), (v)) : (u,v) E1 },
and sends H = (V1,F) to V.
(V1): V gets G’ = (V’,E’) from P. V selects R{1,2} and sends it to
P. P is supposed to answer with an isomorphism between G and G’.
13
Construction (cont.)Construction (cont.)
(P2): If =1, then send = to V. Otherwise, send = -1 to V.
(V2): If is an isomorphism between G
and G’ then V outputs 1, otherwise
it outputs 0.
14
Construction (diagram)Construction (diagram)
Prover Verifier
R
Sym([n])
H G1R{1,2}
If =1, send = ,
otherwise = -1
Accept iff
H = (G)
H
15
An example:An example:
22
55
11
44
33
GG11
33
11
22
GG2255
44
Common input: two graphs G1 and G2.
Only P knows
.
16
An example (cont.)An example (cont.)
22
55
11
44
33
GG11
55
33
44
11
22
HH
33
11
22
55
44GG22
= -1
Only P knows .
P sends H to V. V gets
and accepts.
V sends
=2 to P.
17
Theorem: Graph Theorem: Graph isomorphism is in Zero-isomorphism is in Zero-KnowledgeKnowledge
Theorem 1:
The construction above is aperfect zero-knowledgeinteractive proof system(with respect to statistical closeness).
18
Proof of Theorem 1Proof of Theorem 1Completeness:If G1 G2 , V always accepts.
First, G’=(G1).
If =1 then = , Hence: (G) = (G1) = (G1) = G’ .
If =2 then = -1, Hence:
(G) = -1(G2) = (G1) = G’ .
And hence V always accepts when G1 G2 .
19
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Soundness:Let P* be any prover.If it sends to V a graph not isomorphic neither to G1 nor to G2, then there is no isomorphism between G and G’. Hence V rejects. W.l.o.g, if G’ G1 then P* can convince V with probability at most 1/2 (V selects {1,2} uniformly).
Hence: when G1 and G2 are non-isomorphic:Pr [<P*,V>(<G1>,<G2>) = accept] 1/2
20
Zero KnowledgeZero Knowledge(Construction of a simulator)(Construction of a simulator) Let V* be any polynomial-time
verifier, and let q(•) be a polynomial bounding the running time of V*.
M* selects a string rR{0,1}q(|x|).
01100…………011r=
21
Construction of a Simulator Construction of a Simulator (cont.)(cont.)
M* selects R{1,2}.
M* selects a random permutation over V.
M* constructs G’’=(G).
2=
25413
54321=
55
33
44
11
22
G’G’’’
33
11
22
55
44
GG22
Meaning:
(2)=1
22
Construction of a Simulator Construction of a Simulator (cont.)(cont.) M* runs V* with the latter’s strings
set as follows:
Denote as V*‘s output.
r
x
G’’
2=
input-tape
random-tape
message-tape
If it were the case that ≠ , then the simulation would fail.
M* halts with output (x,r,G’’,).
25
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Definition: Let (P,V) be an interactive proof system
for L. (P,V) is perfect zero-knowledge by view iffor every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial time machine M* s.t. for every xL holds:
{view<P,V*>(x)}xL {M*(x)}xL
where view<P,V*>(x) is the final view of V* after
running <P,V*> on input x.
view = all the data a
machine possesses
26
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Lemma: An interactive proof system is perfectzero-knowledge iff it is perfect zero
knowledgeby view.
Proof: Let M* satisfy: {view<P,V*>(x)}xL {M*(x)}xL
for every xL. M* has on its work-tape thefinal view of V*. Hence, it is able to performthe last step of V* and output the result. Andso the modified M*(x) is identical to <P,V*>(x).
27
Proof of lemma (cont.)Proof of lemma (cont.)
Let M* satisfy: {<P,V*>(x)}xL {M*(x)}xL .
For a particular V*, let us consider a verifier
V** that behaves exactly like V*, but outputs
its whole view (at the end). There is a machine
M** s.t. {<P,V**>(x)}xL {M**(x)}xL
28
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Lemma: Let x=(G1,G2)ISO. Then for every string r, graph H and permutation , it holds that:
Pr [view<P,V*>(x) = (x,r,H,)] = Pr [M*(x) = (x,r,H,) | M*(x) ]
Proof:Let m* describe M* conditioned on its not being .Define the 2 random variables: 1.v(x,r) - the last 2 elements of view(P,V*)(x)
conditioned on the second element equals r. 2. (x,r) - the same with m*(x).
29
Proof of lemma (cont.)Proof of lemma (cont.)
Let v*(x,r,H) denote the message sent by V*
for a fixed r and an incoming message H.We will show that v(x,r) and (x,r) areuniformly distributed over the set:
Cx,r := {(H,): H=(Gv*(x,r,H)) }
While running the simulator we have H=(G),and only the pairs satisfying =v*(x,r,H) lead toan output. Hence:
Pr((x,r)=(H,)) = { 1/|V1|! if H=(Gv*(x,r,H)) { 0 otherwise
30
Proof of lemma (cont.)Proof of lemma (cont.)
Consider v(x,r):v(x,r) = { ((G1),) if v*(x,r,(G1))=1.
{ ((G2),-1) otherwise.
For each H (which is isomorphic to G1):
Pr((x,r)=(H,)) = { 1/|V1|! if =1-v*(x,r,H)
{ 0 otherwise
Observing that H=(Gv*(x,r,H)) iff =1-v*(x,r,H)
and hence the lemma follows.
31
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Corollary: view<P,V*>(x) and M*(x) are statistically close.Proof: A failure is output with probability 1/2.If the simulator returns steps P1-P2 of theconstruction |x| times and at least once at
stepP2 =, then output (x,r,G’’,). If in all |x|trials , then output rubbish.Hence, we got a statistical difference of 2-|x|,and so the corollary follows.
32
Zero-Knowledge for NPZero-Knowledge for NP Reminder: NP is like IP with 1/2 round.
We can define NP-ZK as ZK with 1/2 round,but it would be equivalent to BPP:
Lemma: If L admits a zero-knowledge NP-proof system, then LBPP.
Proof: The simulator for <P,V> accepting L is a BPP machine.
17.3
33
G3CG3C
Common Input: A graph1
2
3 4
5
12
3 4
5
P can paint the graph in 3 colors.
P must keep the coloring a secret.
34
12
3 4
5
12
3 4
5
12
3 4
5
G3C is in Zero-G3C is in Zero-KnowledgeKnowledge
P chooses a random color permutation.
He puts all the nodes inside envelopes.
And sends them to the verifier.
Construction (ZK IP for G3C):
35
G3C is in ZK (cont.)G3C is in ZK (cont.) Verifier receives a 3-colored
graph, but colors are hidden.
12
3 4
5
12
3 4
5
He chooses an edge at random.
And asks the prover to open the 2 envelopes.
36
G3C is in ZK (cont.)G3C is in ZK (cont.) Prover opens the envelopes,
revealing the colors.1
2
3 4
5
12
3 Verifier accepts if the colors are different.
37
Formally,Formally,
G = (V,E) is 3-colorable if there exists a mapping so that for every .
Let be a 3-coloring of G, and let be a permutation over {1,2,3} chosen randomly.
Define a random 3-coloring. Put each (v) in a box with v marked
on it. Send all the boxes to the verifier.
}3,2,1{: V )()( vu Evu ),(
))(()( vv
38
Formally, (cont.)Formally, (cont.)
Verifier selects an edge at random asking to inspect the colors.
Prover sends the keys to boxes u and v.
Verifier uses the keys to open the boxes.
If he finds 2 different colors from {1,2,3} - Accept.
Otherwise - Reject.
Evue R ),(
39
G3C (diagram)G3C (diagram)
(1) (n)(2)1 2 n
P V
Evue R ),(P V
Keyu , keyv
P V
40
The construction is in The construction is in ZK:ZK:
Completeness:If G is 3-colorable and both P and V follow the rules, V will accept.
Soundness:Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be colored badly: (u) = (v).V will pick a bad edge with probability 1/|E|, which can be increased to 2/3 by repeating the protocol sufficiently many times.
41
Zero KnowledgeZero Knowledge(Construction of a simulator)(Construction of a simulator) Let V* be any polynomial-time
verifier, and let q(•) be a polynomial bounding the running time of V*.
M* selects a string rR{0,1}q(|x|).
11010…………110r=
42
Construction of a Simulator Construction of a Simulator (cont.)(cont.) M* selects e’=(u’,v’) R E. M* sends to V* boxes filled with
garbage, except for the boxes of u’ and v’, colored as follows:
c d
u’ v’
Otherwise, the simulation fails.
C R {1,2,3} d R {1,2,3}\{c}
If V* picks (u’,v’), M* sends V* their keys and the simulation is completed.
43
Analysis of the Analysis of the SimulationSimulationFor every GG3C, the distribution ofm*(<G>) = M*(<G>) | (M*(<G>) ) is identical to <P,V*>(<G>).Since V* can’t tell e’ from other edges bylooking at the boxes, he picks e’ withprobability 1/|E|, which can be increasedto a constant by repeating M* sufficientlymany times.So if the boxes are perfectly sealed,G3CPZK.
44
Commitment SchemeCommitment Scheme Digital implementation of a “sealed
box”. Commitment Scheme is a 2-phase
protocol satisfying: Secrecy: At the end of phase #1, R
(Receiver) can’t tell what value is being sent.
Unambiguity: Given the transcript of phase #1, there’s at most one value R may accept as legal at phase #2.
45
Commitment SchemeCommitment Scheme Denote S(s,) the message S (Sender)
sends to R when committing itself to bit and his random coins are s.
Secrecy means S(s,0) and S(s,1) are computationally indistinguishable.
Unambiguity means R can’t be fooled to think S(s,0) = S(s’,1) for any s and s‘.
46
Commitment SchemeCommitment Scheme Unambiguity:
Denote by r the coin tosses of R, and by View(R) everything known to R after having received m (S(s,) in this case) and tossed r. Denote by View(S) everything known to S from s and .Then for all but a negligible fraction of r‘s there’s no such m for which there are s and s‘ s.t.
View(S)=(s,0) and View(R)=(r,m)and View(S)=(s’,1) and View(R)=(r,m)
47
Commitment SchemeCommitment Scheme
Construction: f:{0,1}n {0,1}n is one-way permutation.
b:{0,1}n {0,1} is its hard-core bit. S wants to send v{0,1} to R. Phase #1: S selects sR{0,1}n and sends
(f(s), b(s)v) to R, who stores them as (,) respectively.
Phase #2: S sends s as key. R calculates v = b(s), and accepts if f(s) = . Otherwise rejects.
48
Commitment SchemeCommitment Scheme Proposition: This protocol is a bit
commitment scheme.
Proof: Secrecy: For every receiver R* consider
the distribution ensembles<S(0),R*>(1n) = (f(s),b(s))
and <S(1),R*>(1n) = (f(s),b(s)1)b(s) is unpredictable given f(s) and so the two ensembles are computationally indistinguishable.
49
Commitment SchemeCommitment Scheme
Unambiguity follows from f being one-to-one.
50
G3C+Commitment G3C+Commitment SchemeScheme
Proposition: G3C that uses bit commitment schemes instead of “magic boxes” is computational zero-knowledge.
Proof: Completeness: P can convince V by
sending the “right keys” of the commitment schemes for the colors of the vertices V selected.
17.8
51
G3C + Commitment G3C + Commitment SchemeScheme Soundness: Commitment scheme
unambiguity ensures soundness is still satisfied.P may succeed to cheat V on phase #2 of commitment(in addition to the possibility that V won’t select a badly colored edge).However, this increases only by a little the probability of accepting GG3C.
52
G3C + Commitment G3C + Commitment SchemeScheme Computational Zero-Knowledge:
Let M* be the simulator for V* from the previous proof.
1) Pr[M*(x)=] is still small enough.
2) The ensembles of {m*(<G>)}GG3C and {<P,V*>(<G>)}GG3C are computationally indistinguishable.
53
G3C + Commitment G3C + Commitment SchemeScheme Computational Zero-Knowledge
(cont.):Namely, for every probabilistic polynomial time algorithm, A, every polynomial p(.), and every sufficiently large graph G=(V,E):
)(
1)1))(*,(Pr()1))(*(Pr(
VpGVPAGmA
54
Blackbox Zero Blackbox Zero KnowledgeKnowledge
Definition: Let (P,V) be an IP for a language L. (P,V) is a blackbox zero knowledge if there exists an oracle machine M s.t. for every verifier V*:
{<P,V*>(x)}xL {<MV*(x)}xL
17.9
55
Blackbox Zero Blackbox Zero KnowledgeKnowledge Theorem: (given without proof)
If there is a (P,V) with negligible error probability for language L that satisfies:
- Public coin proof system.
- Constant number of rounds.
- Blackbox zero-knowledge.
Then LBPP.
56
Blackbox Zero Blackbox Zero KnowledgeKnowledge Blackbox is preserved under
sequential composition.
Blackbox is not preserved under parallel composition !!!
G3C is blackbox zero-knowledge.
57
Blackbox Zero Blackbox Zero KnowledgeKnowledge G3C failure probability is 1-1/|E|,
hence it is not negligible. Error becomes negligible by
repeating G3C polynomially many timessequentially or in parallel.
Sequential repetition - number of rounds not constant.
Parallel repetition - not a blackbox.
58
Blackbox Zero Blackbox Zero KnowledgeKnowledge If G3C could satisfy theorem 11,
then G3CBPP and hence NPBPP.
All known ZK systems are blackbox.
ZK for a language outside BPP should either use non-constant number of rounds or use private coin.
59
Randomness and ZKRandomness and ZK
In IP, V must be random to satisfy soundness.
In ZK, P must be random to satisfy zero-knowledge.
If L has ZK proof in which either P or V is deterministic, then LBPP.
17.10