View
227
Download
6
Tags:
Embed Size (px)
Citation preview
Zero Knowledge Proofs
Interactive proof An Interactive Proof System for a language L is a two-party
game between a verifier and a prover that interact on a common input in a way satisfying the following properties:
Interactive proof The verifier’s strategy is a probabilistic polynomial-time
procedure. Correctness requirements:
• Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3.
• Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.
Zero Knowledge ProofLet (P,V) be an interactive proof system for some
language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds
{<P,V*>(x)}xL {M*(x)}xL
Machine M* is called the simulator for the interaction of V* with P.
Perfect Zero Knowledge
Definition: Let (P,V) be an interactive proof system for some language
L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xL and {M*(x)}xL are identical, i.e.,
{<P,V*>(x)}xL {M*(x)}xL
Statistical Zero KnowledgeDefinition:Let (P,V) be an interactive proof system for some
language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are statistically close.
Statistical Zero Knowledge
Definition-cont.:
The distribution ensembles {Ax}xL and {Bx}xL
are statistically close or have negligible variation distance if for every polynomial p(•) there exits integer N such that for every xL with |x| N holds:
|Pr [Ax = ] – Pr [Bx = ]| p(|x|)-1
Computational Zero Knowledge
Definition:
Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are computationally indistinguishable.
Computational Zero KnowledgeDefinition:
Two ensembles {Ax}xL and {Bx}xL arecomputationally indistinguishable if forevery probabilistic polynomial timedistinguisher D and for every polynomial p(•)there exists an integer N such that for everyxL with |x| N holds
|Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]| p(|x|)-1
Graph Isomorphism problem
Definition
Graph Isomorphism two graphs G0 =(V0,E0) and G1 =(V1, G1) are isomorphic permutation
s.t
(u,v) E0 ( (u), (v)) E1
if G0 and G1 are isomorphic and is an isomorphism between G0 to G1 we write G1 = (G0) .
Graph Isomorphism problem
Graph Isomorphism problem: Given Two Graphs G1 and G2 – Are They Isomorphic ?
Lemma: GI ZK
Proof: Zero Knowledge Interactive Proof for GI.
Zero Knowledge Interactive proof for Graph Isomorphism1. Repeat the following n times:
2. The Prover chooses a random permutation of (1…n) and computes H= (G1) and send it to the verifier.
3. The verifier chooses randomly i=1 or 2 and sends it to the prover.
Zero Knowledge Interactive proof for Graph Isomorphism-cont.4. The prover chooses permutation s.t H = (Gi).
If i=1 the prover sends to the verifier otherwise the prover will send -1 .( is the isomorphism between G1 and G2.
5. The verifier checks if H is the image of Gi under .
6. The verifier accepts if H is the image of Gi in all n rounds.
Zero Knowledge Interactive proof for Graph Isomorphism-cont. Prover Verifier
H= (G1)
i=1,2
or -1 Checks if H is the
image of Gi
R
Building simulator M* for graph isomorphism problem
We will define simulator M* as follows:
Input:(G0, G1) ISO
1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*.
2. Randomly chooses a {0,1} and permutation and construct H= (Ga) send H to V* .
Building simulator M* for graph isomorphism problem
3. Receive b from V* .
If b {0,1} then outputs {RANDOM,H,b} and STOP.
If a =b then outputs {RANDOM,H,b, } and
STOP;else GOTO 1 .
Zero-Knowledge Password Proofs
1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier
2. r is a random number belongs to [n, n4]. The prover sends x2 modn and r2 modn to the verifier.
3. The verifier then randomly asks for r or xr and checks the prover.
Zero-Knowledge Password Proofs
Prover Verifier
n=pq
x2 modn
r2 modnAsks for xr or r
xr or r
Checks the Prover
NP and Zero Knowledge proofs
Lemma: NPZK
Proof: 3colZK .
Zero Knowledge proof for 3col problem
1. The prover randomly chooses a permutation . Computes (c(v)), puts in envelopes and sends to the verifier.
2. The verifier chooses randomly:
(u,v) E and opens the envelope.
If the colors are different and legal he answers “yes”.
Zero Knowledge proof for 3col problem
Prover Verifier
permutation . (c(v))
Chooses (u,v) E
envelope Checks that colors are different
ZK protocol for Co-SAT
Transform the CNF to a polynom by these transformation rules:
1. T positive value
2. F 0
3. Xi Xi
3. Xi (1-Xi)
4. OR +
5. AND •
ZK protocol for Co-SAT
The protocol:
1. The prover selects a prime number q > 2n • 3m and sends to the verifier.
2. The verifier checks that q is prime. If q isn’t prime halts and rejects.
ZK protocol for Co-SAT
3. V0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom Pi that it’s rank is at most m .
The construction of Pi :
P1(x)= xn =0,1…. xn=0,1 p(x1 … xn)
P2(x)= xn =0,1…. xn=0,1 p(r1,x, x3 … xn)
Pn(x)= p(r1,... Rn-1, xn ) the prover puts polynom Pi in envelopes and send to the verifier.
ZK protocol for Co-SAT
4. The prover moves to the next stage(i=i+1).
5. We know that the verifier will accept
if r1… ri … rn s.t Pi(0) + Pi(1)= vi -1modq.
Since checking each assignment is polynomial this problem is in NP .
We can now do a reduction from any NP problem to 3col ZK .
ZK protocol for Graph non isomorphism
Definition
Graph non Isomorphism given two graphs G0 =(V0,E0) and G1 =(V1, G1) .
(G0, G1 )GNI
there is no permutation s.t (u,v) E0 ( (u), (v)) E1
ZK protocol for Graph non isomorphism1. The verifier chooses randomly a number i (0,1) .
The verifier chooses a random permutation and computes H = (Gi). Then the verifier chooses randomly j (0,1) . The verifier creates the pair of graphs (H0, H1) such that:
if j=0:
H0 is a permutation of G0
H1 is a permutation of G1
ZK protocol for Graph non isomorphism
if j=1:
H0 is a permutation of G1
H1 is apermutation of G0
the verifier sends H and the pair (H0, H1).
ZK protocol for Graph non isomorphism
2. The prover chooses randomly
b (0,1) . The prover sends b to the verifier .
If b=0 then the verifier sends the prover the isomorphism between (G0, G1) and (H0, H1).
If b=1 the verifier sends the prover the isomorphism between H and (H0, H1) .
ZK protocol for Graph non isomorphism
3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that Gb is isomorphic to H and sends b to V . If there is no such b , the prover sends a random b.
4. The verifier accepts if j=b.
ZK protocol for Graph non isomorphism
Prover Verifier
1.Isomorphism between (G0, G1) and (H0, H1). OR 2.Isomorphism between (H0, H1) and H.
Check isomorphism computes b
checks that j=b
1. i (0,1)
2.H = (Gi)
3. H and the pair (H0, H1)
ZK protocol for Graph non isomorphism
Lemma: GNI PZK
Proof : building M* s.t {<P,V*>(x)}xL {M*(x)}xL
1. The machine M* takes random string of bits and puts ot on a Random tape.
ZK protocol for Graph non isomorphism
Mv* does the following n times:
2. Mv* waits to get H and the pair (H0, H1) from V* .
3. Mv* chooses a random b .
4. Mv* gets from V* the isomorphism between H and (H0, H1) and (G0, G1). Mv* checks if it is not the right isomorphism it stops.
Otherwise:1. Returns V* to the point after H and
(H0, H1) were received.
2. choose b’ again and sends to V*
3. Waits to get I’ from V*
I’- isomorphism received from V*.
ZK protocol for Graph non isomorphism
If b’b then the Mv* finds isomorphism from I and I’, from G0,G1 to (H0, H1) and from (H0, H1) to H. The machine uses this information to find Isomorphism from H to G0 , G1.
4. The machine Mv* uses this information to compute V* and sends it to V*.
ZK protocol for Graph non isomorphism