zero-knowledge proof system slides by ouzy hadad, yair gazelle & gil ben-artzi adapted from ely...
Post on 20-Dec-2015
221 views
TRANSCRIPT
![Page 1: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/1.jpg)
Zero-Knowledge Proof System
Zero-Knowledge Proof System
Slides by Slides by Ouzy HadadOuzy Hadad , Yair Gazelle & Gil Ben-, Yair Gazelle & Gil Ben-ArtziArtzi
Adapted from Adapted from Ely PoratEly Porat course lecture notes. course lecture notes.
![Page 2: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/2.jpg)
Background and Motivation
Background and Motivation
The purpose of a traditional proof is to convince somebody, but typically the details of a proof give the verifier more info about the assertion.
A proof is a zero-knowledge if the verifier does not get from it anything that he can not compute by himself.
![Page 3: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/3.jpg)
Background and Motivation (cont.)
Background and Motivation (cont.)
Whatever can be efficiently obtained by interacting with a prover, could also be computed without interaction, just by assuming that the assertion is true and conducting some efficient computation.
![Page 4: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/4.jpg)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time verifier V*, there exists a probabilistic polynomial-time machine M* s.t. for every xL holds
Machine M* is called the simulator for the interaction of V* with P.
Zero Knowledge (Definition)
Zero Knowledge (Definition)
LxLx xMxVP
)}({)}(,{
![Page 5: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/5.jpg)
Perfect Zero Knowledge (Definition)
Perfect Zero Knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time verifier V*, there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xL and {M*(x)}xL are identical, i.e.,
LxLx xMxVP
)}({)}(,{
![Page 6: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/6.jpg)
The distribution ensembles {Ax}xL and {Bx}xL are
statistically close or have negligible variationdistance if for every polynomial p(•) there exitsinteger N such that for every xL withholds:
Statistically close distributions (Definition)
Statistically close distributions (Definition)
Nx
xp
BobAob xx
1PrPr
![Page 7: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/7.jpg)
Statistical zero-knowledge (Definition)
Statistical zero-knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are statistically close.
![Page 8: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/8.jpg)
Computationally indistinguishable
(Definition)
Computationally indistinguishable
(Definition)Two ensembles {Ax}xL and {Bx}xL are
computationally indistinguishable if for everyprobabilistic polynomial time distinguisher D andfor every polynomial p(•) there exists an integerN such that for every xL with |x| N holds
|)(|
1|1),(Pr1,Pr|
xpBxDobAxDob xx
![Page 9: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/9.jpg)
Computational zero-knowledge (Definition)Computational zero-
knowledge (Definition)Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are computationally indistinguishable.
![Page 10: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/10.jpg)
PZK by viewPZK by view
The pair <P,V> is PZK by view if for every p.p.t V*... (probability polynomial time machine) there exist p.p.t M* such that for every xL we have: {view(P,V*)(x)={M*(x)} where view(P,V*)(x) is the view of V* after running <P,V*> on the input x, and M*(x) is the output of M* on the input x.
![Page 11: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/11.jpg)
IP is PZK iff PZK by viewIP is PZK iff PZK by viewLemma: An interactive proof system is perfectzero-knowledge iff it is perfect zero knowledgeby view.
Proof:
Let M* satisfy: {view<P,V*>(x)}xL {M*(x)}xL
for every xL. M* has on its work-tape thefinal view of V*. Hence, it is able to performthe last step of V* and output the result. Andso the modified M*(x) is identical to <P,V*>(x).
![Page 12: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/12.jpg)
Proof of lemma (cont.)
Proof of lemma (cont.)
Let M* satisfy: {<P,V*>(x)}xL {M*(x)}xL .
For a particular V*, let us consider a verifierV** that behaves exactly like V*, but outputsits whole view (at the end). There is a machineM** s.t.
LxLx
xMxVP
)()(,
![Page 13: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/13.jpg)
Graph-IsomorphismGraph-Isomorphism
A pair of two graphs, WhereLets be an isomorphism between the input
graphs, namely is 1-1 and onto mapping of the vertex set V1 to the vertex set V2 so that
21 ))(),((),( EuviffEuv
.|V||V| 21
).E,(VG),E,(VG 222111
![Page 14: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/14.jpg)
ZK proof for Graph Isomorphism
ZK proof for Graph Isomorphism
Prover’s first step(P1): Select random permutation over V1, construct the set , and send to the verifier.
Verifier’s first step gets H from P. select and send it to P.
P is supposed to answer with an isomorphism between and .
2,1
1v)(u,:(v)(u),:F E F),(VH 1
V:)(V1
V
0G H
![Page 15: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/15.jpg)
ZK proof for Graph Isomorphism(cont.)ZK proof for Graph Isomorphism(cont.)
(P2): If =1, then send = to V. Otherwise send = -1 to V.
(V2): If is an isomorphism between G
and H then V output 1, otherwise itoutputs 0.
![Page 16: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/16.jpg)
Construction (diagram)
Construction (diagram)
Prover Verifier
=Random Permotation
H G1 R{1,2}
If =1, send =
otherwise = -1
Accept iff
H = (G)
H
![Page 17: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/17.jpg)
An example:An example:
22
55
11
44
33
GG11
33
11
22
GG2255
44
Common input: two graphs G1 and G2.
Only P knows
.
![Page 18: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/18.jpg)
An example (cont.)An example (cont.)22
55
11
44
33
GG11
55
33
44
11
22
HH
33
11
22
55
44GG22
= -1
Only P knows .
P sends H to V. V gets
and accepts.
V sends
=2 to P.
![Page 19: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/19.jpg)
Theorem: Graph isomorphism is in Zero-Knowledge
Theorem: Graph isomorphism is in Zero-Knowledge
Theorem 1:The construction above is aperfect zero-knowledgeinteractive proof system(with respect to statistical closeness).
![Page 20: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/20.jpg)
Proof of Theorem 1Proof of Theorem 1Completeness:
If G1 G2 , V always accepts.
First, G’=(G1).
If =1 then = , Hence:
(G) = (G1) = (G1) = G’ .
If =2 then = -1, Hence:
(G) = -1(G2) = (G1) = G’ .
And hence V always accepts when G1 G2 .
![Page 21: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/21.jpg)
Proof of Theorem 1 (cont.)
Proof of Theorem 1 (cont.)
Soundness:Let P* be any prover.If it sends to V a graph not isomorphic neither to G1 nor to G2, then there is no isomorphism between G and G’. If G’ G1 then P* can convince V with probability at most 1/2 (V selects {1,2} uniformly).Hence: when G1 and G2 are non-isomorphic:
If we will run this several times we will get the desire probability.
21)G,G(V,PPr 21 accept
![Page 22: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/22.jpg)
Zero Knowledge(Construction of a
simulator)
Zero Knowledge(Construction of a
simulator)Let V* be any polynomial-time verifier, and let q(•)
be a polynomial bounding the running time of V*.
M* selects a string
01100…………011 =r
xq}1,0{r R
![Page 23: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/23.jpg)
Construction of a Simulator (cont.)Construction of a Simulator (cont.)
M* selects R{1,2}.
M* selects a random permutation over V.
M* constructs G’’= (G).
25413
54321
55
33
44
11
22
G’G’’’
33
11
22
55
44
GG22
2
![Page 24: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/24.jpg)
Construction of a Simulator (cont.)Construction of a Simulator (cont.)
M* runs V* with the latter’s strings set as follows:
Denote as V*‘s output.
M* halts with output (x,r,G’’,).
r
x
G’’
InputTape
RandomTape
MessageTape
2
![Page 25: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/25.jpg)
Proof of Theorem 1 (cont.)
Proof of Theorem 1 (cont.)
Definition: Let (P,V) be an interactive proof system for L. (P,V) is perfect zero-knowledge by view iffor every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial time machine M* s.t. for every xL holds:
{view<P,V*>(x)}xL {M*(x)}xL
where view<P,V*>(x) is the final view of V* after
running <P,V*> on input x.
view = all the data a machine possesses
![Page 26: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/26.jpg)
Proof of Theorem 1 (cont.)
Proof of Theorem 1 (cont.)
Lemma: Then for every string r, graph H and permutation , it holds that:
Pr [view<P,V*>(x) = (x,r,H,)] = Pr [M*(x) = (x,r,H,) | M*(x) ]
Proof:Let m* describe M* conditioned on its not being .Define the 2 random variables: 1.v(x,r) - the last 2 elements of view(P,V*)(x) conditioned on the second element equals r. 2. (x,r) - the same with m*(x).
ISOGGx ),(Let 21
![Page 27: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/27.jpg)
Proof of lemma (cont.)
Proof of lemma (cont.)
Let V* (x,r,H) denote the message sent by V*
for a fixed r and an incoming message H.We will show that v(x,r) and (x,r) areuniformly distributed over the set:
While running the simulator we have H=(G),and only the pairs satisfying =v*(x,r,H) lead toan output. Hence:
otherwise
GHifVHrxHrxV
0
)(|!|1
)),(),(Pr(),,(
1
.)(:, :),,(, HrxVrx GHHC
![Page 28: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/28.jpg)
Proof of lemma (cont.)
Proof of lemma (cont.)
Consider v(x,r):
For each H (which is isomorphic to G1):
Observing thatand hence the lemma follows.
)),(G(
1))(Gr,(x,V)),(G(r)V(x,
12
11
otherwise
if
0
|!V|1
)),(r)(x,Pr(
H)r,(x,V1
1
otherwise
ifH
),,(V1
),,(V)(GH Hrx
Hrxiff
![Page 29: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/29.jpg)
Proof of Theorem 1 (cont.)
Proof of Theorem 1 (cont.)
Corollary: view<P,V*>(x) and M*(x) are statistically close.Proof: A failure is output with probability If the simulator returns steps P1-P2 of theconstruction |x| times and at least once at stepP2 =, then output (x,r,G’’,). If in all |x|trials , then output rubbish.Hence, we got a statistical difference ofand so the corollary follows.
21
||2 x
![Page 30: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/30.jpg)
Zero-Knowledge for NPZero-Knowledge for NP
NP Problem: A language L belongs to NP if and only if there exist a two-inputpolynomial-time algorithm A and constant Csuch that:
there exist a certificate y with
We say that algorithm A verifies language Lin polynomial time.
:1,0 xL
1),()|(| yxAthatsuchxOy c
![Page 31: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/31.jpg)
IP for NPIP for NP
Lets L language belong to NP, and x L , P should prove V that he know the solution for x.
(P1): P guess the solution y for the problem x.(V1) V verify in polynomial time that A(x,y)=1.
We will give ZK interactive proof system for NP complete problem (G3C), which implies that for every NP problem, we have ZK proof.
![Page 32: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/32.jpg)
G3CG3C
Common Input: A graph 12
3 4
5
12
3 4
5
P can paint the graph in 3 colors.
P must keep the coloring a secret.
![Page 33: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/33.jpg)
12
3 4
5
12
3 4
5
12
3 4
5
G3C is in Zero-Knowledge
G3C is in Zero-Knowledge
P chooses a random color permutation.
He puts all the nodes inside envelopes.
And sends them to the verifier.
Construction (ZK IP for G3C):
![Page 34: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/34.jpg)
G3C is in ZK (cont.)G3C is in ZK (cont.)Verifier receives a 3-colored
graph, but colors are hidden.1
2
3 4
5
12
3 4
5
He chooses an edge at random.
And asks the prover to open the 2 envelopes.
![Page 35: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/35.jpg)
G3C is in ZK (cont.)
G3C is in ZK (cont.)
Prover opens the envelopes, revealing the colors.
12
3 4
5
12
3Verifier accepts if the colors are different.
![Page 36: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/36.jpg)
Formally,Formally,G = (V,E) is 3-colorable if there exists a mapping
for every .Let be a 3-coloring of G, and let be a
permutation over {1,2,3} chosen randomly.Define a random 3-coloring.Put each (v) in a box with v marked on it.Send all the boxes to the verifier.
)()(}3,2,1{: vuthatsoV Evu ),(
))(()( vv
![Page 37: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/37.jpg)
Formally, (cont.)Formally, (cont.)Verifier selects an edge at random
asking to inspect the colors.Prover sends the keys to boxes u and v.Verifier uses the keys to open the boxes.If he finds 2 different colors from {1,2,3} - Accept.Otherwise - Reject.
Evue R ),(
![Page 38: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/38.jpg)
G3C (diagram)G3C (diagram)
(1) (n)(2)1 2 n
P V
P V
Keyu , keyv
P V
Evue R ),(
![Page 39: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/39.jpg)
The construction is in ZK:
The construction is in ZK:Completeness:
If G is 3-colorable and both P and V follow the rules, V will accept.
Soundness:Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be colored badly: (u) = (v).V will pick a bad edge with probability which can be increased to by repeating the protocol sufficiently many times. 3
2||
1E
![Page 40: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/40.jpg)
Zero Knowledge(Construction of a
simulator)
Zero Knowledge(Construction of a
simulator)Let V* be any polynomial-time verifier, and let q(•)
be a polynomial bounding the running time of V*.
M* selects a string
110.......11010r
|)(|1,0 xqRr
![Page 41: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/41.jpg)
Construction of a Simulator (cont.)
Construction of a Simulator (cont.)
M* selects e’=(u’,v’) R E.M* sends to V* boxes filled with garbage, except
for the boxes of u’ and v’, colored as follows:
c d
u’ v’
Otherwise, the simulation fails.
C R {1,2,3} d R {1,2,3}\{c} If V* picks (u’,v’), M* sends V* their
keys and the simulation is completed.
![Page 42: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/42.jpg)
Analysis of the Simulation
Analysis of the Simulation
For every GG3C, the distribution ofm*(<G>) = M*(<G>) | (M*(<G>) ) is identical to <P,V*>(<G>).Since V* can’t tell e’ from other edges bylooking at the boxes, he picks e’ withprobability 1/|E|, which can be increasedto a constant by repeating M* sufficientlymany times.So if the boxes are perfectly sealed,G3CPZK.
![Page 43: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/43.jpg)
ZK for Finding square modulo n
ZK for Finding square modulo n
Input: x2 modulo n .output: x modulo n.The prover need to prove that he know the
output.
![Page 44: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/44.jpg)
ZK for Finding square modulo n (cont.)
ZK for Finding square modulo n (cont.)
(P1): P find two large prime number p,q,where n=p·q. He also choose randomlyr [n, n4].
P send n, x2 mod n and r2 mod n to V.(V1): V has two possibilities (a) Ask r. check the value of r2 mod n.(b) Ask for x ·r. check the value of x2 r2 mod n
![Page 45: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/45.jpg)
Analysis of the Protocol - square modulo n
Analysis of the Protocol - square modulo n
Soundness: If P does not know x, then in probability of 50% V will catch him, if we will run this several times we will get the Vwill reject in probability larger then 2/3.
Completeness: If P know x, V always accept.
![Page 46: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/46.jpg)
Analysis of the Protocol - square modulo n (cont.)Analysis of the Protocol - square modulo n (cont.)
This protocol is computational ZK.The Protocol give the value x2 mod n but the
verifier can't calculate x from it .If the verifier ask option 1 from the prover, he get
no additional info.If the verifier ask option 2 from the prover, he get
xr which is random.
![Page 47: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/47.jpg)
CO-NP ZKCO-NP ZK
In order to prove the above it’s enough to show that CO-NP complete problem is in IP
We will show that CO-SAT belongs to IP. Than we can show that CO-SAT belongs to ZK. Reminder: CO-SAT means that there are no truth
assignment for an equation. We can treat it as a specific case of proving that for an
equation there are exactly K truth assignments (In this case , K=0)
![Page 48: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/48.jpg)
CO-SAT IPCO-SAT IP Lemma
1. (x1,x2,x3,…,Xn) has exactly Kn truth assignments k0,k1 : Kn=k0+k1
2. (0,x2,x3,…Xn) = 0(x2,x3,…Xn) has exactly k0 truth assignments
3. (1,x2,x3,…Xn) = 1(x2,x3,…Xn) has exactly k1 truth assignments
Informal explanation By setting a variable in the original equations we create a new
equation with a special relation to the original one. Each new equation must have a specific number of
assignments which can be pre-calculate.
![Page 49: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/49.jpg)
CO-SAT IPCO-SAT IP We can now construct a solution based upon the
previous lemma Prover will send verifier k0,k1 for (n) Verifier will check that for (n-1) , condition 1 of lemma
is true ( Kn=k0+k1) Verifier will create randomly a new equation (n+1), by
assigning 1 or 0 to the first variable of n If we assign 1 , the number of solutions should be K0 ,
otherwise k0 Verifier will send to prover the new equation
![Page 50: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/50.jpg)
CO-SAT IPCO-SAT IP
Now prover will send the new k0n,k1n for the new (n+1)
Verifier remember previous k1 and can check if k1=k0n+k1n , so the prover cannot cheat him
Each stage we reduced one variable from equation by assign a value to it
Now let’s prove completeness & soundness
![Page 51: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/51.jpg)
CO-SAT IPCO-SAT IP Completeness
If prover does not cheat , each new equation will have the appropriate relation to the previous one and verifier will be convinced
Soundness If prover cheat i.e. send k0 as a false one, the new equation
should be based upon assignment of 0 to first element in order to see it (remember that we check only one of k0/k1 – it’s deepened on the assignment). We have a probability of ½ to do this , and we should always peek the right assignment down the road. Total probability (in the worst case) is (½)^n
Huston, we have a problem ! ( no soundness )
![Page 52: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/52.jpg)
CO-SAT IP, Solution 2CO-SAT IP, Solution 2
We will expand the range variables of to a field (F) such that |F| > (2)^n
Each variable can get now not just 0 or 1 but a value from the field
We will construct a new equation `: F0 , T positive integer ^ * , +(p)`p , (~p)` 1-p`(p^q)`p`q` , (pq)` ~(~(~p ^ ~q))’
![Page 53: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/53.jpg)
CO-SAT IP, Solution 2CO-SAT IP, Solution 2 We got now ` that is a polynomial of (x1,
…,Xn) over field F. Prover should now prove that
Note that1. Number of root for [p1(0)+p1(1)]= p0().2. Polynomials have the same number of roots for
[p1()-p2()] = 0
1,01,01 1,02
),...1`(.....xnx x
KXnx
![Page 54: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/54.jpg)
CO-SAT IP, Solution 2CO-SAT IP, Solution 2
Prover will send the polynom [P1], and the number of roots (K) for this polynom
Verifier will check that K=p1(0)+p1(1), choose a random value F and send it to prover
Prover will now construct a new polynom P2 = P1(), calculate the number of roots for the new one and send it to verfier
This process continue until all variable has been assign (2n iterations)
![Page 55: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/55.jpg)
CO-SAT IP, Solution 2CO-SAT IP, Solution 2
Completeness is clear.Soundness
In order to lie , the prover should send the verifier a false polynom. This polynom should have the same roots as the correct one. Since we have a field of elements ,The probability for this is n/|F|. The probability not found this is (1-n/|F|) > 2/3
We proved that CO-NP is in IP
![Page 56: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/56.jpg)
CO-NP ZKCO-NP ZK
It’s enough to show that CO-SAT is in ZKThe problem in the previous solution is that the
verifier can see each stage the solution of the previous.
He can use it to get some other information from prover
![Page 57: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/57.jpg)
CO-SAT ZKCO-SAT ZK
The prover can now send the polynom in an envelops , just like in G3C
The verifier should now check that the prover has not mislead him
We have got now a new problem : How can we open the envelops without gaining any information from the prover
![Page 58: Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649d4e5503460f94a2d2a9/html5/thumbnails/58.jpg)
CO-SAT ZKCO-SAT ZK
The problem of opening an envelops is in NP , since the oracle can guess the keys and we can verify in a polynomial time that indeed we have the appropriate keys
Since NP ZK , we can now make a reduction and solve the above problem
CO-SAT ZK CO-NP ZK !