zero-knowledge for npcyber.biu.ac.il/wp-content/uploads/2018/08/ws-19-2-zk...can ๐ด be proved in...
TRANSCRIPT
BIU WINTER SCHOOL | February 2019
ZERO-KNOWLEDGE for NP
ALON ROSEN IDC HERZLIYA
Perfect ZK
Perfect ZK: โ๐๐๐ ๐โ โ๐๐๐ ๐ โ๐ฅ โ ๐ฟ โ๐ง
๐ ๐ฅ, ๐ง โ ๐ ๐ค , ๐โ ๐ง ๐ฅ
Proposition: ๐๐ ๐ โ PZK
๐๐ complete
๐๐ด๐
๐ฟ๐ผ๐ P
NP
๐๐ ๐
Can ๐๐ด๐ be proved in ZK?
Why do we care?
โข ๐๐ ๐ is specific
โข ๐๐ด๐ is NP-complete
โข If ๐๐ด๐ โ ZK then every ๐ฟ โ NP is provable in ZK
Theorem [Fโ87, BHZโ87]: If ๐๐ด๐ โ PZK then the
polynomial-time hierarchy collapses to the second level
Possible relaxations:
โข Computational indistinguishability (now)
โข Computational soundness (later)
Statistical
Zero-Knowledge
Statistical Indistinguishabi lity
Let ๐ and ๐ be random variables taking values in a set ฮฉ
Perfect indistinguishability (๐ โ ๐): โ๐ โ ฮฉ
๐๐๐ ๐ โ ๐ = ๐๐๐ ๐ โ ๐
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
โข ๐ = ๐๐ and ๐ = ๐๐
โข ๐ = ๐ ๐
Statistical Indistinguishabi lity
Let ๐ and ๐ be random variables taking values in a set ฮฉ
Perfect indistinguishability (๐ โ ๐): โ๐ โ ฮฉ
๐๐๐ ๐ โ ๐ = ๐๐๐ ๐ โ ๐
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
Triangle inequality: if
โข ๐, ๐ are ๐1 -indistinguishable and
โข ๐, ๐ are ๐2-indistinguishable then
โข ๐, ๐ are ๐1 + ๐2 -indistinguishable
Statistical Indistinguishabi lity
Let ๐ and ๐ be random variables taking values in a set ฮฉ
Perfect indistinguishability (๐ โ ๐): โ๐ โ ฮฉ
๐๐๐ ๐ โ ๐ = ๐๐๐ ๐ โ ๐
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
Indistinguishability of multiple samples: if
โข ๐, ๐ are ๐-indistinguishable then
โข ๐๐ , ๐๐ are ๐๐-indistinguishable
Hybrid argument: ๐๐โ๐๐๐๐โ1 โ ๐ ๐๐โ๐๐ฟ๐๐โ1
๐๐โ๐๐๐๐โ1 โ ๐ ๐๐โ๐๐ฟ๐๐โ1
๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐โ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐โ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐โ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐
โฎ
โ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐โ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐
By triangle inequality: ๐ + ๐ + โฏ+ ๐ = ๐๐
Hybrid Argument
๐ = 0 ๐๐ โ
โ ๐๐
๐ = 1
๐ = 2๐ = 3
๐ = ๐ โ 1๐ = ๐
Statistical ZK: โ๐๐๐ ๐โ โ๐๐๐ ๐ โ๐ฅ โ ๐ฟ โ๐ง
๐ ๐ฅ, ๐ง โ ๐ ๐, ๐โ ๐ง ๐ฅ
โข SZK - all ๐ฟ that have a statistical ZK proof
โข ๐ ๐ฅ, ๐ง and ๐, ๐โ ๐ง ๐ฅ are indexed by ๐ฅ, ๐ง
โข Typically ๐ = ๐ฅ (actually, ๐ = ๐ค )
Theorem [Fโ87, BHZโ87]: If ๐๐ด๐ โ SZK then the polynomial-
time hierarchy collapses to the second level
Statistical ZK
Computational
Zero-Knowledge
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
๐ก, ๐ -indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ that are
โdecidable in time ๐กโ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
๐ โ ๐ด is decidable in time ๐ก if โtime-๐ก ๐ท such that โ๐ฅ โ ๐ด
๐ฅ โ ๐ โท ๐ท ๐ฅ = 1
Computational Indistinguishabi lity
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
๐ก, ๐ -indistinguishability (๐ โ ๐ ๐): โtime-๐ก ๐ท
๐๐ ๐ท ๐ = 1 โ ๐๐ ๐ท ๐ = 1 โค ๐
Triangle inequality: if
โข ๐, ๐ are ๐ก1, ๐1 -indistinguishable and
โข ๐, ๐ are ๐ก2, ๐2 -indistinguishable then
โข ๐, ๐ are ๐๐๐ ๐ก1, ๐ก2 , ๐1 + ๐2 -indistinguishable
Computational Indistinguishabi lity
๐-indistinguishability (๐ โ ๐ ๐): โ๐ โ ฮฉ
๐๐ ๐ โ ๐ โ ๐๐ ๐ โ ๐ โค ๐
๐ก, ๐ -indistinguishability (๐ โ ๐ ๐): โtime-๐ก ๐ท
๐๐ ๐ท ๐ = 1 โ ๐๐ ๐ท ๐ = 1 โค ๐
Indistinguishability of multiple samples: if
โข ๐, ๐ are ๐ก, ๐ -indistinguishable then
โข ๐๐ , ๐๐ are ๐ก, ๐๐ -indistinguishable
Hybrid argument (non-uniform):
๐๐โ๐๐๐๐โ1 โ ๐ ๐๐โ๐๐ฟ๐๐โ1
Computational Indistinguishabi lity
Computational Indistinguishabi lity
Typically:
โข ๐ก = ๐๐๐๐ฆ ๐โข ๐ = ๐๐๐ ๐
Definition: ๐ = ๐ ๐ is negligible if it is eventually smaller
than 1/๐ ๐ for every polynomial ๐
๐ = ๐๐๐ ๐ , ๐ = ๐๐๐๐ฆ ๐ โ ๐๐ = ๐๐๐ ๐
๐1 โ ๐ ๐2โฏ โ ๐ ๐
๐ โ ๐1 โ ๐๐ ๐๐
In practice: concrete choices of ๐ก,q and ๐
Computational ZK: โ๐๐๐ ๐โ โ๐๐๐ ๐ โ๐ฅ โ ๐ฟ โ๐ง
๐ ๐ฅ, ๐ง โ ๐ ๐, ๐โ ๐ง ๐ฅ
PZK โ SZK โ CZK
Theorem [GMWโ86]: Suppose one-way functions exist.
Then NP โ CZK
Computational ZK
Definition: ๐: 0,1 โ โ 0,1 โ is ๐ก, ๐ -one-way if โtime-๐ก ๐ด
๐๐๐ ๐ด inverts ๐ ๐ โค ๐
Candidate OWFs:
โข Rabin/RSA: ๐ฅ2 ๐๐๐ ๐ ๐ฅ๐ ๐๐๐ ๐
โข Discrete exponentiation: ๐๐ฅ ๐๐๐ ๐
โข SIS/LWE: ๐ด๐ฅ ๐๐๐ ๐ ๐ด๐ฅ + ๐ ๐๐๐ ๐
โข AES: ๐ด๐ธ๐๐ฅ 0๐
โข SHA: โ ๐ฅ
One-way Functions
Commitment Schemes
Commitment Scheme
โข Two-stage protocol between Committer and Receiver
Completeness: ๐ถ can always generate valid
๐ = ๐ถ๐๐ ๐, ๐
R๐ = ๐ถ๐๐ ๐, ๐
๐, ๐ = ๐ท๐๐ ๐
Commit
Reveal
Commitment Scheme
โข Two-stage protocol between Committer and Receiver
RCommit
Reveal
๐ถ๐๐ ๐, ๐ is
๐ โโs view of the
commit phase
๐ท๐๐ ๐ is
๐ โโs view of the
reveal phase
Canonical reveal:
๐ท๐๐ ๐ = ๐, ๐
Statistical ly-binding Commitments
Definition: A statistically-binding ๐ถ๐๐,๐ท๐๐ satisfies:
Computational hiding: ๐๐๐ ๐ โ โ๐1, ๐2
๐ถ๐๐ ๐1 โ ๐ ๐ถ๐๐ ๐2
Statistical binding: ๐ถโ โ๐1 โ ๐2
๐๐ ๐ถโ wins the binding game โค ๐๐๐ ๐
๐ถโ wins the binding game if it generates ๐ along with
โข ๐1, ๐1 = ๐ท๐๐ ๐โข ๐2, ๐2 = ๐ท๐๐ ๐
โข Note: hiding holds even if ๐1, ๐2 are known
โข Later: statistically-hiding commitments
โข El-Gamal (assuming DDH):
๐ถ๐๐๐,โ ๐, ๐ = ๐๐ , โ๐ โ ๐๐
โข Any OWP:
๐ถ๐๐ ๐, ๐ = ๐ ๐ , ๐ ๐ โ ๐
โข Any PRG (and hence OWF):
๐ถ๐๐๐ ๐, ๐ = แ๐บ ๐ ๐ = 0๐บ ๐ โ ๐ ๐ = 1
Examples (statistical ly-binding)
NP โ CZK
Theorem [GMWโ86]: If statistically-binding commitments
exist then NP โ CZK
Theorem [Bโ86]: If statistically-binding commitments
exist then ๐ป๐ด๐ โ CZK
๐ป๐ด๐ = ๐บ| ๐บ has a Hamiltomian cycle
Ham cycle: passes via each vertex exactly once
๐ป๐ด๐ โ CZK
Every ๐ฟ โ NP is poly-time reducible to ๐ป๐ด๐
โpoly-time computable ๐ such that โ๐ฅ
๐ฅ โ ๐ฟ โ ๐ ๐ฅ โ ๐ป๐ด๐
To prove ๐ฟ โ CZK, sufficient to prove ๐ป๐ด๐ โ CZK
๐ป๐ด๐ i s NP -complete
VP ๐ฅ โ ๐ฟโ
๐ ๐ฅ โ ๐ป๐ด๐
ACCEPT/REJECT
๐ค for ๐ฅ โ ๐ฟโ
๐(๐ค) for ๐ ๐ฅ โ ๐ป๐ด๐
๐
๐
๐
๐
๐
๐
Adjacency Matrix Representation
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Graph ๐บ Ham cycle ๐ค
0 ๐ 0 0 1 1
1 0 1 ๐ 0 0
1 1 0 0 ๐ 0
0 0 ๐ 0 1 1
1 0 1 1 0 ๐
๐ 1 0 1 1 0
0 ๐ 0 0 1 1
1 0 1 ๐ 0 0
1 1 0 0 ๐ 0
0 0 ๐ 0 1 1
1 0 1 1 0 ๐
๐ 1 0 1 1 0
Committing to ๐บ and opening cycle ๐ค
Graph ๐บ ๐ = ๐ถ๐๐ ๐บ
๐
๐
๐
๐
๐
๐
โ
0 ๐ 0 0 1 1
1 0 1 ๐ 0 0
1 1 0 0 ๐ 0
0 0 ๐ 0 1 1
1 0 1 1 0 ๐
๐ 1 0 1 1 0
๐ค โ ๐ท๐๐ ๐๐บ = ๐ท๐๐ ๐
An interactive proof for ๐ป๐ด๐
VP
๐ = 0: ๐ข โ ๐ท๐๐ ๐
๐
๐บ โ ๐ป๐ด๐
๐ โ๐ 0,1
๐ = ๐ถ๐๐ ๐(๐บ)๐ โ๐ ๐๐
Ham cycle ๐ค
๐ = 1: ๐, ๐ป = ๐ท๐๐ ๐
In either case,
verify hat ๐ท๐๐ are valid
๐ข=๐(๐ค) Verify that ๐ข is a cycle
Verify that ๐ป = ๐ ๐บ
When ๐ = 0
๐ = ๐ถ๐๐ ๐(๐บ)
๐
๐
๐
๐
๐
๐
๐ข โ ๐ท๐๐ ๐
๐ = 0
Verify :
โข That ๐ท๐๐ is valid
โข That ๐ข is a cycle
When ๐ = 1
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
6 1 3 2 5 4
๐ป = ๐ท๐๐ ๐๐ = ๐ถ๐๐ ๐(๐บ)
๐
๐ = 1
Verify :
โข That ๐ท๐๐ is valid
โข That ๐ป = ๐ ๐บ
Soundness
Claim: If ๐ถ๐๐,๐ท๐๐ is statistically binding then ๐, ๐is an interactive proof for ๐ป๐ด๐
Soundness:
If ๐๐๐ ๐โ, ๐ accepts ๐ฅ > 1/2
then both
โข ๐ข is a cycle in ๐ป
โข and ๐ป = ๐ ๐บ
So ๐โ1 ๐ข is a cycle in ๐บ
VP*
๐ = 0: ๐ข
๐
๐ถ๐๐ ๐(๐บ)
๐ = 1: ๐, ๐ป ๐ป = ๐ ๐บ
๐ข is a cycle
Computational ZK
Simulator ๐๐โ๐บ :
1. Set ๐บ0 = ๐ข for ๐ข โ๐ ๐๐ฆ๐๐๐๐2. Set ๐บ1 = ๐(๐บ) for ๐ โ๐ ๐๐3. Sample ๐ โ๐ โค๐
โ
๐ = 0: Set ๐ = ๐ถ๐๐ ๐บ0๐ = 1: Set ๐ = ๐ถ๐๐ ๐บ1
4. If ๐โ ๐ = ๐
๐ = 0: Output ๐,๐, ๐ข
๐ = 1: Output ๐,๐, ๐,๐บ1
5. Otherwise repeat
V*P
๐ = 0: ๐ข
๐ = ๐โ ๐
๐
๐ = 1: ๐, ๐ป
0 ๐ 0 0 0 0
0 0 0 ๐ 0 0
0 0 0 0 ๐ 0
0 0 ๐ 0 0 0
0 0 0 0 0 ๐
๐ 0 0 0 0 0
Computational ZK
๐บ0
๐ = 0
๐บ1
๐ = 1
๐
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Computational ZK
๐ = 0
๐ = ๐ถ๐๐ ๐บ0
๐ = 1
๐ = ๐ถ๐๐ ๐บ1
โ ๐
๐
๐
๐
๐
๐
๐
Computational ZK
If ๐โ ๐ = 0(otherwise repeat)
If ๐โ ๐ = 1(otherwise repeat)
๐บ0 = ๐ข ๐บ1 = ๐(๐บ)
๐
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Claim: If ๐ถ๐๐ is computationally hiding then ๐๐โ๐บ runs
in polynomial time
1. From hiding of ๐ถ๐๐ and the fact that ๐โis ๐๐๐:
๐๐๐,๐ ๐โ ๐ถ๐๐ ๐บ๐ = ๐ โ 1/2
Exercise: otherwise ๐โ distinguishes between
๐ถ๐๐ ๐บ0 and ๐ถ๐๐ ๐บ1
2. This implies: ๐ผ #repetitions โ 2
Computational ZK
Claim: If ๐ถ๐๐ is computationally hiding then โ๐บ โ ๐ป๐ด๐
๐๐โ๐บ โ ๐ ๐(๐ค), ๐โ ๐บ
1. Let ๐ป๐โ ๐บ,๐ค act identically to ๐๐โ๐บ except that:
โข ๐ป commits to ๐บ1 instead of ๐บ0โข When ๐โ ๐ = 0, ๐ป outputs ๐(๐ค) instead of ๐ข
2. Exercise:
๐๐โ๐บ โ ๐ ๐ป
๐โ ๐บ,๐ค โ ๐(๐ค), ๐โ ๐บ
Hint: ๐ถ๐๐ ๐บ0 โ ๐ ๐ถ๐๐ ๐บ1 even if ๐บ,๐ค, ๐ are known.
Computational ZK
๐
๐
๐
๐
๐
๐
๐
๐
๐
๐
๐
๐
Computational ZK
๐๐โ๐บ | ๐ = 0
๐ = ๐ถ๐๐ ๐บ0 ๐ = ๐ถ๐๐ ๐บ1
โ ๐
๐ = ๐ถ๐๐ ๐บ0 โ ๐ถ๐๐(๐(๐ค)) ๐ = ๐ถ๐๐ ๐บ1 โ ๐ถ๐๐(๐(๐ค))
๐ป๐โ ๐บ,๐ค | ๐ = 0
One-way functions (or rather some weak form of them)
are necessary for non-trivial ZK
Theorem [OWโ90]: If โZK proofs for languages outside of
BPP then there exist functions with one-way instances
Theorem [OWโ90]: If โZK proofs for languages that are
hard on average then there exist one-way functions
Unconditional characterization of ZK [Vadโ06]:
โข HVZK = ZKโข ZK is closed under union
โข Public-coin ZK equals private-coin ZKโข ZK w/ imperfect compl. equals ZK w/ perfect compl.
Techniques borrowed from the study of SZK [SVโ90โs]
Computational ZK โ some more
Summary
BPP โ PZK โ SZK โ CZK = IP
Defined:
โข Statistical indistinguishability
โข Computational indistinguishability
โข SZK, CZK
โข One way-functions
โข Statistically-binding commitments
Saw:
โข Examples of statistically-binding commitments
โข NP โ CZK via ๐ป๐ด๐ โ CZK
Food for Thought
โข Efficiency of reduction to ๐ป๐ด๐โข Classic reduction from ๐๐ด๐ to ๐ป๐ด๐ has quadratic blowup
โข Ideally: linear blowup (with small constants)
โข Communication complexityโข Statistically-binding commitments imply linear communication
โข Next lecture: statistically-hiding commitments
โข Open up the possibility of sublinear communication
โข Efficiency of prover and/or verifierโข May have to optimize ๐, ๐ even if sublinear communication
โข Both time and space complexities โ tradeoff between ๐, ๐
โข Round complexityโข Much research devoted to minimizing rounds (see next lecture)
Other considerations
Define
โข what it means to break the system
โข Adversaryโs access/resources
Build
โข In ZK first there were protocols, only then defs
Prove
โข We still do not have good โlanguageโ for proofs
โข ML theory vs Crypto theory (crypto theory is essential)
First feasibility then efficiency
โข Optimize (round/comm. complexity, verifier time/space)
Relax definition (Argument/WI/WH/NIZK)
Modern Crypto Methodology
Auxi l iary input to ๐ท and Non-uniform ๐โ
Computational ZK: โ๐๐๐ ๐โ โ๐๐๐ ๐ โ๐ท๐ท๐ป ๐ซ โ๐ฅ โ ๐ฟ โ๐ง
๐๐ ๐ท ๐ฅ,๐ง, ๐ ๐ฅ, ๐ง = 1 โ ๐๐ ๐ท ๐ฅ, ๐ง, ๐, ๐โ ๐ง ๐ฅ , ๐ง = 1 โค ๐๐๐(|๐ฅ|)
Advanced comment:
โข ๐ท is also given ๐ง
โข If ๐ง is sufficiently long, ๐ท can make use of its suffix
โข ๐โ and ๐ cannot (๐ท is determined after them)
โข implies indistinguishability against non-uniform circuits ๐ท
โข Making ๐โ also non uniform yields โweakerโ security
reduction (from ๐โ to ๐)
History
Oded Goldreich Avi Wigderson Manuel Blum
Moni Naor Salil VadhanRafail Ostrovsky Amit Sahai
The End
Questions?