zero-knowledge for npcyber.biu.ac.il/wp-content/uploads/2018/08/ws-19-2-zk...can ðŽ be proved in...
TRANSCRIPT
BIU WINTER SCHOOL | February 2019
ZERO-KNOWLEDGE for NP
ALON ROSEN IDC HERZLIYA
Perfect ZK
Perfect ZK: âððð ðâ âððð ð âð¥ â ð¿ âð§
ð ð¥, ð§ â ð ð€ , ðâ ð§ ð¥
Proposition: ðð ð â PZK
ðð complete
ððŽð
ð¿ðŒð P
NP
ðð ð
Can ððŽð be proved in ZK?
Why do we care?
⢠ðð ð is specific
⢠ððŽð is NP-complete
⢠If ððŽð â ZK then every ð¿ â NP is provable in ZK
Theorem [Fâ87, BHZâ87]: If ððŽð â PZK then the
polynomial-time hierarchy collapses to the second level
Possible relaxations:
⢠Computational indistinguishability (now)
⢠Computational soundness (later)
Statistical
Zero-Knowledge
Statistical Indistinguishabi lity
Let ð and ð be random variables taking values in a set Ω
Perfect indistinguishability (ð â ð): âð â Ω
ððð ð â ð = ððð ð â ð
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
⢠ð = ðð and ð = ðð
⢠ð = ð ð
Statistical Indistinguishabi lity
Let ð and ð be random variables taking values in a set Ω
Perfect indistinguishability (ð â ð): âð â Ω
ððð ð â ð = ððð ð â ð
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
Triangle inequality: if
⢠ð, ð are ð1 -indistinguishable and
⢠ð, ð are ð2-indistinguishable then
⢠ð, ð are ð1 + ð2 -indistinguishable
Statistical Indistinguishabi lity
Let ð and ð be random variables taking values in a set Ω
Perfect indistinguishability (ð â ð): âð â Ω
ððð ð â ð = ððð ð â ð
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
Indistinguishability of multiple samples: if
⢠ð, ð are ð-indistinguishable then
⢠ðð , ðð are ðð-indistinguishable
Hybrid argument: ððâððððâ1 â ð ððâðð¿ððâ1
ððâððððâ1 â ð ððâðð¿ððâ1
ððððððððððððððððððððâ ð ððððððððððððððððððððâ ð ððððððððððððððððððððâ ð ðððððððððððððððððððð
â®
â ð ðððððððððððððððððððððâ ð ððððððððððððððððððððð
By triangle inequality: ð + ð + â¯+ ð = ðð
Hybrid Argument
ð = 0 ðð â
â ðð
ð = 1
ð = 2ð = 3
ð = ð â 1ð = ð
Statistical ZK: âððð ðâ âððð ð âð¥ â ð¿ âð§
ð ð¥, ð§ â ð ð, ðâ ð§ ð¥
⢠SZK - all ð¿ that have a statistical ZK proof
⢠ð ð¥, ð§ and ð, ðâ ð§ ð¥ are indexed by ð¥, ð§
⢠Typically ð = ð¥ (actually, ð = ð€ )
Theorem [Fâ87, BHZâ87]: If ððŽð â SZK then the polynomial-
time hierarchy collapses to the second level
Statistical ZK
Computational
Zero-Knowledge
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
ð¡, ð -indistinguishability (ð â ð ð): âð â Ω that are
âdecidable in time ð¡â
ðð ð â ð â ðð ð â ð †ð
ð â ðŽ is decidable in time ð¡ if âtime-ð¡ ð· such that âð¥ â ðŽ
ð¥ â ð â· ð· ð¥ = 1
Computational Indistinguishabi lity
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
ð¡, ð -indistinguishability (ð â ð ð): âtime-ð¡ ð·
ðð ð· ð = 1 â ðð ð· ð = 1 †ð
Triangle inequality: if
⢠ð, ð are ð¡1, ð1 -indistinguishable and
⢠ð, ð are ð¡2, ð2 -indistinguishable then
⢠ð, ð are ððð ð¡1, ð¡2 , ð1 + ð2 -indistinguishable
Computational Indistinguishabi lity
ð-indistinguishability (ð â ð ð): âð â Ω
ðð ð â ð â ðð ð â ð †ð
ð¡, ð -indistinguishability (ð â ð ð): âtime-ð¡ ð·
ðð ð· ð = 1 â ðð ð· ð = 1 †ð
Indistinguishability of multiple samples: if
⢠ð, ð are ð¡, ð -indistinguishable then
⢠ðð , ðð are ð¡, ðð -indistinguishable
Hybrid argument (non-uniform):
ððâððððâ1 â ð ððâðð¿ððâ1
Computational Indistinguishabi lity
Computational Indistinguishabi lity
Typically:
⢠ð¡ = ððððŠ ð⢠ð = ððð ð
Definition: ð = ð ð is negligible if it is eventually smaller
than 1/ð ð for every polynomial ð
ð = ððð ð , ð = ððððŠ ð â ðð = ððð ð
ð1 â ð ð2⯠â ð ð
ð â ð1 â ðð ðð
In practice: concrete choices of ð¡,q and ð
Computational ZK: âððð ðâ âððð ð âð¥ â ð¿ âð§
ð ð¥, ð§ â ð ð, ðâ ð§ ð¥
PZK â SZK â CZK
Theorem [GMWâ86]: Suppose one-way functions exist.
Then NP â CZK
Computational ZK
Definition: ð: 0,1 â â 0,1 â is ð¡, ð -one-way if âtime-ð¡ ðŽ
ððð ðŽ inverts ð ð †ð
Candidate OWFs:
⢠Rabin/RSA: ð¥2 ððð ð ð¥ð ððð ð
⢠Discrete exponentiation: ðð¥ ððð ð
⢠SIS/LWE: ðŽð¥ ððð ð ðŽð¥ + ð ððð ð
⢠AES: ðŽðžðð¥ 0ð
⢠SHA: â ð¥
One-way Functions
Commitment Schemes
Commitment Scheme
⢠Two-stage protocol between Committer and Receiver
Completeness: ð¶ can always generate valid
ð = ð¶ðð ð, ð
Rð = ð¶ðð ð, ð
ð, ð = ð·ðð ð
Commit
Reveal
Commitment Scheme
⢠Two-stage protocol between Committer and Receiver
RCommit
Reveal
ð¶ðð ð, ð is
ð ââs view of the
commit phase
ð·ðð ð is
ð ââs view of the
reveal phase
Canonical reveal:
ð·ðð ð = ð, ð
Statistical ly-binding Commitments
Definition: A statistically-binding ð¶ðð,ð·ðð satisfies:
Computational hiding: ððð ð â âð1, ð2
ð¶ðð ð1 â ð ð¶ðð ð2
Statistical binding: ð¶â âð1 â ð2
ðð ð¶â wins the binding game †ððð ð
ð¶â wins the binding game if it generates ð along with
⢠ð1, ð1 = ð·ðð ð⢠ð2, ð2 = ð·ðð ð
⢠Note: hiding holds even if ð1, ð2 are known
⢠Later: statistically-hiding commitments
⢠El-Gamal (assuming DDH):
ð¶ððð,â ð, ð = ðð , âð â ðð
⢠Any OWP:
ð¶ðð ð, ð = ð ð , ð ð â ð
⢠Any PRG (and hence OWF):
ð¶ððð ð, ð = áðº ð ð = 0ðº ð â ð ð = 1
Examples (statistical ly-binding)
NP â CZK
Theorem [GMWâ86]: If statistically-binding commitments
exist then NP â CZK
Theorem [Bâ86]: If statistically-binding commitments
exist then ð»ðŽð â CZK
ð»ðŽð = ðº| ðº has a Hamiltomian cycle
Ham cycle: passes via each vertex exactly once
ð»ðŽð â CZK
Every ð¿ â NP is poly-time reducible to ð»ðŽð
âpoly-time computable ð such that âð¥
ð¥ â ð¿ â ð ð¥ â ð»ðŽð
To prove ð¿ â CZK, sufficient to prove ð»ðŽð â CZK
ð»ðŽð i s NP -complete
VP ð¥ â ð¿â
ð ð¥ â ð»ðŽð
ACCEPT/REJECT
ð€ for ð¥ â ð¿â
ð(ð€) for ð ð¥ â ð»ðŽð
ð
ð
ð
ð
ð
ð
Adjacency Matrix Representation
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Graph ðº Ham cycle ð€
0 ð 0 0 1 1
1 0 1 ð 0 0
1 1 0 0 ð 0
0 0 ð 0 1 1
1 0 1 1 0 ð
ð 1 0 1 1 0
0 ð 0 0 1 1
1 0 1 ð 0 0
1 1 0 0 ð 0
0 0 ð 0 1 1
1 0 1 1 0 ð
ð 1 0 1 1 0
Committing to ðº and opening cycle ð€
Graph ðº ð = ð¶ðð ðº
ð
ð
ð
ð
ð
ð
â
0 ð 0 0 1 1
1 0 1 ð 0 0
1 1 0 0 ð 0
0 0 ð 0 1 1
1 0 1 1 0 ð
ð 1 0 1 1 0
ð€ â ð·ðð ððº = ð·ðð ð
An interactive proof for ð»ðŽð
VP
ð = 0: ð¢ â ð·ðð ð
ð
ðº â ð»ðŽð
ð âð 0,1
ð = ð¶ðð ð(ðº)ð âð ðð
Ham cycle ð€
ð = 1: ð, ð» = ð·ðð ð
In either case,
verify hat ð·ðð are valid
ð¢=ð(ð€) Verify that ð¢ is a cycle
Verify that ð» = ð ðº
When ð = 0
ð = ð¶ðð ð(ðº)
ð
ð
ð
ð
ð
ð
ð¢ â ð·ðð ð
ð = 0
Verify :
⢠That ð·ðð is valid
⢠That ð¢ is a cycle
When ð = 1
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
6 1 3 2 5 4
ð» = ð·ðð ðð = ð¶ðð ð(ðº)
ð
ð = 1
Verify :
⢠That ð·ðð is valid
⢠That ð» = ð ðº
Soundness
Claim: If ð¶ðð,ð·ðð is statistically binding then ð, ðis an interactive proof for ð»ðŽð
Soundness:
If ððð ðâ, ð accepts ð¥ > 1/2
then both
⢠ð¢ is a cycle in ð»
⢠and ð» = ð ðº
So ðâ1 ð¢ is a cycle in ðº
VP*
ð = 0: ð¢
ð
ð¶ðð ð(ðº)
ð = 1: ð, ð» ð» = ð ðº
ð¢ is a cycle
Computational ZK
Simulator ððâðº :
1. Set ðº0 = ð¢ for ð¢ âð ððŠðððð2. Set ðº1 = ð(ðº) for ð âð ðð3. Sample ð âð â€ð
â
ð = 0: Set ð = ð¶ðð ðº0ð = 1: Set ð = ð¶ðð ðº1
4. If ðâ ð = ð
ð = 0: Output ð,ð, ð¢
ð = 1: Output ð,ð, ð,ðº1
5. Otherwise repeat
V*P
ð = 0: ð¢
ð = ðâ ð
ð
ð = 1: ð, ð»
0 ð 0 0 0 0
0 0 0 ð 0 0
0 0 0 0 ð 0
0 0 ð 0 0 0
0 0 0 0 0 ð
ð 0 0 0 0 0
Computational ZK
ðº0
ð = 0
ðº1
ð = 1
ð
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Computational ZK
ð = 0
ð = ð¶ðð ðº0
ð = 1
ð = ð¶ðð ðº1
â ð
ð
ð
ð
ð
ð
ð
Computational ZK
If ðâ ð = 0(otherwise repeat)
If ðâ ð = 1(otherwise repeat)
ðº0 = ð¢ ðº1 = ð(ðº)
ð
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Claim: If ð¶ðð is computationally hiding then ððâðº runs
in polynomial time
1. From hiding of ð¶ðð and the fact that ðâis ððð:
ððð,ð ðâ ð¶ðð ðºð = ð â 1/2
Exercise: otherwise ðâ distinguishes between
ð¶ðð ðº0 and ð¶ðð ðº1
2. This implies: ðŒ #repetitions â 2
Computational ZK
Claim: If ð¶ðð is computationally hiding then âðº â ð»ðŽð
ððâðº â ð ð(ð€), ðâ ðº
1. Let ð»ðâ ðº,ð€ act identically to ððâðº except that:
⢠ð» commits to ðº1 instead of ðº0⢠When ðâ ð = 0, ð» outputs ð(ð€) instead of ð¢
2. Exercise:
ððâðº â ð ð»
ðâ ðº,ð€ â ð(ð€), ðâ ðº
Hint: ð¶ðð ðº0 â ð ð¶ðð ðº1 even if ðº,ð€, ð are known.
Computational ZK
ð
ð
ð
ð
ð
ð
ð
ð
ð
ð
ð
ð
Computational ZK
ððâðº | ð = 0
ð = ð¶ðð ðº0 ð = ð¶ðð ðº1
â ð
ð = ð¶ðð ðº0 â ð¶ðð(ð(ð€)) ð = ð¶ðð ðº1 â ð¶ðð(ð(ð€))
ð»ðâ ðº,ð€ | ð = 0
One-way functions (or rather some weak form of them)
are necessary for non-trivial ZK
Theorem [OWâ90]: If âZK proofs for languages outside of
BPP then there exist functions with one-way instances
Theorem [OWâ90]: If âZK proofs for languages that are
hard on average then there exist one-way functions
Unconditional characterization of ZK [Vadâ06]:
⢠HVZK = ZK⢠ZK is closed under union
⢠Public-coin ZK equals private-coin ZK⢠ZK w/ imperfect compl. equals ZK w/ perfect compl.
Techniques borrowed from the study of SZK [SVâ90âs]
Computational ZK â some more
Summary
BPP â PZK â SZK â CZK = IP
Defined:
⢠Statistical indistinguishability
⢠Computational indistinguishability
⢠SZK, CZK
⢠One way-functions
⢠Statistically-binding commitments
Saw:
⢠Examples of statistically-binding commitments
⢠NP â CZK via ð»ðŽð â CZK
Food for Thought
⢠Efficiency of reduction to ð»ðŽð⢠Classic reduction from ððŽð to ð»ðŽð has quadratic blowup
⢠Ideally: linear blowup (with small constants)
⢠Communication complexity⢠Statistically-binding commitments imply linear communication
⢠Next lecture: statistically-hiding commitments
⢠Open up the possibility of sublinear communication
⢠Efficiency of prover and/or verifier⢠May have to optimize ð, ð even if sublinear communication
⢠Both time and space complexities â tradeoff between ð, ð
⢠Round complexity⢠Much research devoted to minimizing rounds (see next lecture)
Other considerations
Define
⢠what it means to break the system
⢠Adversaryâs access/resources
Build
⢠In ZK first there were protocols, only then defs
Prove
⢠We still do not have good âlanguageâ for proofs
⢠ML theory vs Crypto theory (crypto theory is essential)
First feasibility then efficiency
⢠Optimize (round/comm. complexity, verifier time/space)
Relax definition (Argument/WI/WH/NIZK)
Modern Crypto Methodology
Auxi l iary input to ð· and Non-uniform ðâ
Computational ZK: âððð ðâ âððð ð âð·ð·ð» ð« âð¥ â ð¿ âð§
ðð ð· ð¥,ð§, ð ð¥, ð§ = 1 â ðð ð· ð¥, ð§, ð, ðâ ð§ ð¥ , ð§ = 1 †ððð(|ð¥|)
Advanced comment:
⢠ð· is also given ð§
⢠If ð§ is sufficiently long, ð· can make use of its suffix
⢠ðâ and ð cannot (ð· is determined after them)
⢠implies indistinguishability against non-uniform circuits ð·
⢠Making ðâ also non uniform yields âweakerâ security
reduction (from ðâ to ð)
History
Oded Goldreich Avi Wigderson Manuel Blum
Moni Naor Salil VadhanRafail Ostrovsky Amit Sahai
The End
Questions?