Lecture 4.

Zero

.

Knowledge

Henry Corrigan-

Gibbs

Cs 355 -

Spring2019

Phan April 10,2019

-

Reap: Interactive proofs

- Zero knowledge

* What it is

*

Whyit's useful

* How we define

it

-

Example'

- Zk Proof for HAMCYLLE

Reminders

→ Hb 1 Lue Friday at 5pm vin Gratescope

↳ Come to OHtoday

?

→ Lateday policy

today

-

We will be discussing the most beautiful

idea in all of CS. Maybe

of all time ?

E Controversial but still true

- Zeroknowledge

- How to

proveto

youthat I know

Something (e.g . 4 is SAD

without leaking anythingelse Is

you( SAT

assignment)

-

Amazinglyclever

,

also useful in

many crypto

protocols.

→ Lesson :

Importance of definitions .

OriginalZk

paperis important

b/c of Lefts of 7k,

not because of theSpecific constructions

.

↳ Defa is>

'

h the battle

→ Paperrejected

3 l I think ) times before published

↳ Lesson?

Goldwasser,

Micah, Rakoff ( stoc

,

-85)

Recap : Interactiveproofs-

soonMonday,

Florian introduced interactiveproofs

Goal of a proof: Convince someone of

something-

-"

the verifier

"

"

statement"

In complexity theory,

we consider statements of theform

:

"

x c- L

"

- a

instancelanguage

Examples:

"

N is theproduct of

exactlytwo

primes

NG { pgI

primes pig }

"

The Pythagorean Them is true.

"

PYTNTME g

true statements in

Some formal system)

"

4 is a unsatisfiable SAT formula

's

4 E { set of unsatisfiable SATinstances

"

Recaps

Conventional Proof

Prover ( x ) Verifier ( x )

I Itt

"

accept'

or

"

rejects

?

-

yr mightbe hard to find (

exponentialtime )

deterministic-

an should beeasy

to check Ipolynomial

time

, verifier )

Say that we want toprove

that XEL.

Can do So w/

a conventional ⇐ L is an NP

proof language

e.

g .

toprove

that $ is SAT,

P sends Satisfying

assignmentto V

.

Blum NP="

nifty proof

"

Recap What if we allow P & V to

intent

?

What if Vcan use ran↳?

Verifier I x )

TT→

c-

→

#Can inverse

"

accept'

or

to I.

"

reject

'

↳

Profitmputene.int v. ×eL Prc v > Cx) =

"

accept

"

]±%2. Soundness

¥×p$Lprccpx.DK )

iaccept

"

]s%.

Can reduce toI

negligiblew/

repetition .

Q :

Why is interaction useful?

A1 : ( OnMonday )

IPcaptures

a largerclass of problems .

↳ PSPACE. . .

proveto

youtheir a

graphis

NOT

A 2 ! (Today)

3- COLORABLE!

Interactiveproofs

aan havea

third

surprising property .

Properties we want

3.

Zero knowledge V

"

learnsnothing

"

fromher interaction with P

,

exceptthat xe L

.

[Huh ? What does this

even mean?

Application : Canprove

to

youthat I executed some

protocol correctlywithout

revealing any

ofmy

Secrets .

Defer of Zk used to define securityin

manyprotocols

↳ want to show that"

nothing leaks"

①

:

What does itmean

to

"

learn nothing

"

from

an interaction?

Ex.

Me in 7thgrade

-

Ex. Military spokesperson .

INTUITION : If Vcan easily write down a transcript

of its intonation with P,

then V hasn't

learnedanything useful from P.

t÷÷q*÷

:*.

Ifyou

can simulate the cow .

transcript, noneed to have it at all !

↳Applications in real life

?

TheSurprising thing

is that there is a

veryclean

wayto formalize this intuition

3.

Zero knowledge: t efficient

VT I efficient Sin

St.

V.x c- L

{ View . ( Rx) VID ) - { Sim Cx ) }

q

Thereare diff flavors

of Zk

( :÷÷÷÷÷÷:

Intuition :

- whatever Vcan learn

by interning w/ P,

it

can learnsitting

at home by runningsin

.

-

f V* Mee"

I heard that

Dad

.¥*÷

in.

[I

"

fine

"

→

-

key to remember :

Input to Simessentially captures

what the CP,V ) interaction leaks.

:÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷:"

]

ZkProtocdfnHamyde [ Blum -871? l

)

-

Ham Cycle is an NP-Complete problem

{Gn?!!?

.

oh

↳

Anything provable ( in NP) is

provable

K

Wigtasg;↳ Reduce tohlawgde instance

,

use this protocol .

Intheory

,

carpair

to

youthat I Know an Oday

in iOS without revealing

itis you? And

so on.

. . .

Reminder i

Desai of Ham Gale

G = ( V

,

E ) undirectedgraph

2

(÷:ds¥rakuten.me )See Knuth ( linked from course website) for fun

history of thisproblem

.

Hsm Cycle :{ GIG has a Hamiltoniancycle }

Adjacency

Mattix

, y s 6

I O I I I O Or

( s . :

::::::

a ÷::isee .

)S O I o O O I

GO O

I0 I

0

Trivial Protocol

i÷÷÷÷i÷÷÷:÷÷÷

Zkprotool (Blunt

following Blum,

we'llimagine

that P can send V

"

looked boxes ;

which we

implementw/

cryptographiccommitments .

Prover (G) Verifier ( G)-

-

* Put each of then vertices Y

,

. .. in

into n

boxesBy .

. .

,

Bn in random order .

* Into box Bij ,

put

}I

if vertices in B;

and B;

are

adjacent in G

O.

o.

W.

Bi 's =

relabeling of vertices

Bij 's =

adj .

matrix under relabeling

Send theht

(2) boxes

-

Flip acoin b←49B

If

bso

:

"

Show me G

!If bsl

:

"

Show me thecycle

'!

-

If b-

- O : Unlock all boxes-

Check :

If be I : Unlock anyboxes b=0 Got a

perm

correspondingto Ham Cycle in 4

. of adj .

nutria

bsl.

Got a cycle

Accept if so.

Some Comments msg

- Boxcontains

m

I

Sone particular

←& type

of hash fu .

• TXHlm

,r )

Imagine.

T=

→-

Key

A= ( m ,r )

→-

Properties

✓I

. Complete .

2.

Sound.

If Get Ham Cycle,

thenno matter what Pt

puts

in boxes,

V willreject up

?

'

h.

3.

Zev. knowledge .

Ve construct eff Sim.

Sim ( G c- Ham Cycle )

-

Guess 5 I lost } .

- If 5=0,

But randomperm

of Adj out in Boxes

- 5=1, put

randomperm

ofcycle in Boxes

.

- Run b ← V't

( G,

Boxe . )

-

If

btb,

Abort.

-

Else, open

boxes perV* 's

request

-

Output ( G,

Boxes,

b,

Keys to boxes )

as transcript.

["

¥E;÷÷÷¥÷:.tk?Tm.:taf:')

Life lessons to remember

-

efficiently

* Ifyou

can

,

simulate an interaction.

you

haven'tlearned anything useful from

it.

↳

Ideally doesn't applyto this lecture .

*Input

to simulator = what leaks.

* Anything that hasa traditional CNP)

proof

also hasa Zero knowledge proof system .