Zero-Knowledge%20Proof%20System

1
Zero-Knowledge Proof System
Slides by Ouzy Hadad , Yair Gazelle Gil
Ben-Artzi Adapted from Ely Porat course lecture
notes.
2
Background and Motivation

• The purpose of a traditional proof is to convince
  somebody, but typically the details of a proof
  give the verifier more info about the assertion.
• A proof is a zero-knowledge if the verifier does
  not get from it anything that he can not compute
  by himself.

3
Background and Motivation (cont.)

• Whatever can be efficiently obtained by
  interacting with a prover, could also be computed
  without interaction, just by assuming that the
  assertion is true and conducting some efficient
  computation.

4
Zero Knowledge (Definition)

• Let (P,V) be an interactive proof system for some
  language L. We say that (P,V), actually P, is
  zero-knowledge if for every probabilistic
  polynomial-time verifier V, there exists a
  probabilistic polynomial-time machine M s.t. for
  every x?L holds
• Machine M is called the simulator for the
  interaction of V with P.

5
Perfect Zero Knowledge (Definition)

• Let (P,V) be an interactive proof system for some
  language L. We say that (P,V), actually P, is
  perfect zero-knowledge (PZK) if for every
  probabilistic polynomial time verifier V, there
  exists a probabilistic polynomial-time machine M
  s.t. for every x?L the distributions
  ltP,Vgt(x)x?L and M(x)x?L are identical,
  i.e.,

6
Statistically close distributions (Definition)

• The distribution ensembles Axx?L and Bxx?L
  are
• statistically close or have negligible variation
• distance if for every polynomial p() there exits
• integer N such that for every x?L with
• holds

7
Statistical zero-knowledge (Definition)

• Let (P,V) be an interactive proof system for some
  language L. We say that (P,V), actually P, is
  statistical zero knowledge (SZK) if for every
  probabilistic polynomial time verifier V there
  exists a probabilistic polynomial-time machine M
  s.t. the ensembles ltP,Vgt(x)x?L and M(x)x?L
  are statistically close.

8
Computationally indistinguishable (Definition)

• Two ensembles Axx?L and Bxx?L are
• computationally indistinguishable if for every
• probabilistic polynomial time distinguisher D and
• for every polynomial p() there exists an integer
• N such that for every x?L with x ? N holds

9
Computational zero-knowledge (Definition)

• Let (P,V) be an interactive proof system for some
  language L. (P,V), actually P, is computational
  zero knowledge (CZK) if for every probabilistic
  polynomial-time verifier V there exists a
  probabilistic polynomial-time machine M s.t. the
  ensembles ltP,Vgt(x)x?L and M(x)x?L are
  computationally indistinguishable.

10
PZK by view

• The pair ltP,Vgt is PZK by view if for every p.p.t
  V... (probability polynomial time machine) there
  exist p.p.t M such that for every x?L we have
  view(P,V)(x)M(x) where view(P,V)(x) is the
  view of V after running ltP,Vgt on the input x,
  and M(x) is the output of M on the input x.

11
IP is PZK iff PZK by view

• Lemma An interactive proof system is perfect
• zero-knowledge iff it is perfect zero knowledge
• by view.
• Proof
• Let M satisfy viewltP,Vgt(x)x?L ? M(x)x?L
• for every x?L. M has on its work-tape the
• final view of V. Hence, it is able to perform
• the last step of V and output the result. And
• so the modified M(x) is identical to ltP,Vgt(x).

12
Proof of lemma (cont.)

• Let M satisfy ltP,Vgt(x)x?L ? M(x)x?L .
• For a particular V, let us consider a verifier
• V that behaves exactly like V, but outputs
• its whole view (at the end). There is a machine
• M s.t.

13
Graph-Isomorphism

• A pair of two graphs,
• Where
• Lets ? be an isomorphism between the input
  graphs, namely ? is 1-1 and onto mapping of the
  vertex set V1 to the vertex set V2 so that

14
ZK proof for Graph Isomorphism

• Provers first step(P1) Select random
  permutation ? over V1, construct the set
  , and
  send to the
  verifier.
• Verifiers first step gets H from
  P.
• select and send it to P.
• P is supposed to answer with an isomorphism
• between and .

15
ZK proof for Graph Isomorphism(cont.)

• (P2) If ?1, then send ? ? to V.
• Otherwise send ? ? ? ?-1 to V.
• (V2) If ? is an isomorphism between G?
• and H then V output 1, otherwise it
• outputs 0.

16
Construction (diagram)
Prover
Verifier
?Random Permotation H ? ?G1
??R1,2
H
If ?1, send ? ? otherwise ? ? ? ?-1
?
Accept iff H ?(G?)
?
17
An example
Common input two graphs G1 and G2.
?
Only P knows ?.
18
An example (cont.)
?
? ? ? ?-1
V sends ?2 to P.
3
2
4
G2
2
5
5
4
1
G1
1
5
3
H
2
1
3
4
P sends H to V.
V gets ? and accepts.
Only P knows ?.
19
Theorem Graph isomorphism is in Zero-Knowledge

• Theorem 1
• The construction above is a
• perfect zero-knowledge
• interactive proof system
• (with respect to statistical closeness).

20
Proof of Theorem 1

• Completeness
• If G1 ? G2 , V always accepts.
• First, G?(G1).
• If ?1 then ? ? , Hence
• ?(G?) ? (G1) ?(G1) G .
• If ?2 then ? ? ? ?-1, Hence
• ?(G?) ? ? ?-1(G2) ? (G1) G .
• And hence V always accepts when G1 ? G2 .

21
Proof of Theorem 1 (cont.)

• Soundness
• Let P be any prover.
• If it sends to V a graph not isomorphic neither
  to G1 nor to G2, then there is no isomorphism
  between G? and G. If G ? G1 then P can
  convince V with probability at most 1/2 (V
  selects ??1,2 uniformly).
• Hence when G1 and G2 are non-isomorphic
• If we will run this several times we will get the
  desire probability.

22
Zero Knowledge(Construction of a simulator)

• Let V be any polynomial-time verifier, and let
  q() be a polynomial bounding the running time of
  V.
• M selects a string

01100011
r
23
Construction of a Simulator (cont.)

• M selects ??R1,2.
• M selects a random permutation over V?.
• M constructs G? (G?).

?
4
2
5
G2
5
1
1
G
3
2
3
4
24
Construction of a Simulator (cont.)

• M runs V with the latters strings set as
  follows
• Denote ? as Vs output.

Input Tape
Random Tape
x
r
G
Message Tape

• M halts with output (x,r,G,?).

25
Proof of Theorem 1 (cont.)

• Zero-knowledge
• Construct a simulator M as follows
• Let q() be a polynomial bounding the running
  time of V. M selects a string r?R0,1q(x) as
  the contents of the random tape of V.
• Simulating (P1) M randomly selects a bit
  ??1,2 and a permutation ? (on the set V?). Then
  constructs G? (G?).

26
Construction of M (cont.)

• Simulating (V1) M puts x on Vs common
  input-tape, puts r on Vs random-tape and puts
  G on Vs incoming messages-tape.After
  executing V (in a polynomial number of steps),
  M reads the outgoing message of V, denote ?.
  (assume ??1,2, otherwise P may ignore ? and
  wait for a valid one).
• Simulating (P2) if ?? then M halts with output
  (x,r,G,?). Otherwise (failure of the
  simulation), M halts with ?.

27
Proof of Theorem 1 (cont.)

• Definition
• Let (P,V) be an interactive proof system for L.
• (P,V) is perfect zero-knowledge by view if
• for every probabilistic polynomial-time
• verifier V there exists a probabilistic
• polynomial time machine M s.t. for every
• x?L holds viewltP,Vgt(x)x?L ? M(x)x?L
  
• where viewltP,Vgt(x) is the final view of V after
• running ltP,Vgt on input x.

view all the data a machine possesses
28
Proof of Theorem 1 (cont.)

• Lemma
  Then for every string r,
  graph H and permutation ?, it holds that
• Pr viewltP,Vgt(x) (x,r,H,?)
• Pr M(x) (x,r,H,?) M(x) ? ?
• Proof
• Let m describe M conditioned on its not being
  ?.
• Define the 2 random variables
• 1.v(x,r) - the last 2 elements of
  view(P,V)(x)
• conditioned on the second element equals r.
• 2. ?(x,r) - the same with m(x).

29
Proof of lemma (cont.)

• Let V (x,r,H) denote the message sent by V
• for a fixed r and an incoming message H.
• We will show that v(x,r) and ?(x,r) are
• uniformly distributed over the set
• While running the simulator we have H?(G?),
• and only the pairs satisfying ?v(x,r,H) lead to
• an output. Hence

30
Proof of lemma (cont.)

• Consider v(x,r)
• For each H (which is isomorphic to G1)
• Observing that
• and hence the lemma follows.

31
Proof of Theorem 1 (cont.)

• Corollary viewltP,Vgt(x) and M(x) are
• statistically close.
• Proof
• A failure is output with probability
• If the simulator returns steps P1-P2 of the
• construction x times and at least once at step
• P2 ??, then output (x,r,G,?). If in all x
• trials ??? , then output rubbish.
• Hence, we got a statistical difference of
• and so the corollary follows.

32
Zero-Knowledge for NP

• NP Problem A language L belongs to NP if
• and only if there exist a two-input
• polynomial-time algorithm A and constant C
• such that
• there exist a certificate y with
• We say that algorithm A verifies language L
• in polynomial time.

33
IP for NP

• Lets L language belong to NP, and x ?L ,
  P should prove V that he know the solution
  for x.
• (P1) P guess the solution y for the problem x.
• (V1) V verify in polynomial time that A(x,y)1.
• We will give ZK interactive proof system for NP
  complete problem (G3C), which implies that for
  every NP problem, we have ZK proof.

34
G3C
1
1

• Common Input A graph

2
2

• P can paint the graph in 3 colors.

3
4
3
4

• P must keep the coloring a secret.

5
5
35
G3C is in Zero-Knowledge
Construction (ZK IP for G3C)
1
1

• P chooses a random color permutation.

2
2
3
4
3
4

• He puts all the nodes inside envelopes.

5
5

• And sends them to the verifier.

36
G3C is in ZK (cont.)

• Verifier receives a 3-colored graph, but colors
  are hidden.

• He chooses an edge at random.

• And asks the prover to open the 2 envelopes.

37
G3C is in ZK (cont.)

• Prover opens the envelopes, revealing the colors.

1
2

• Verifier accepts if the colors are different.

3
4
5
38
Formally,

• G (V,E) is 3-colorable if there exists a
  mapping
• for every .
• Let ? be a 3-coloring of G, and let ? be a
  permutation over 1,2,3 chosen randomly.
• Define a random 3-coloring.
• Put each ?(v) in a box with v marked on it.
• Send all the boxes to the verifier.

39
Formally, (cont.)

• Verifier selects an edge at random
  asking to inspect the colors.
• Prover sends the keys to boxes u and v.
• Verifier uses the keys to open the boxes.
• If he finds 2 different colors from 1,2,3 -
  Accept.
• Otherwise - Reject.

40
G3C (diagram)
1
2
n
?(1)
?(n)
?(2)
P
V
P
V
41
The construction is in ZK

• CompletenessIf G is 3-colorable and both P and
  V follow the rules, V will accept.
• SoundnessSuppose G is not 3-colorable and P
  tries to cheat. Then at least one edge (u,v) will
  be colored badly ? (u) ? (v).V will pick a
  bad edge with probability which can be
  increased to by repeating the protocol
  sufficiently many times.

42
Zero Knowledge(Construction of a simulator)

• Let V be any polynomial-time verifier, and let
  q() be a polynomial bounding the running time of
  V.
• M selects a string

43
Construction of a Simulator (cont.)

• M selects e(u,v) ?R E.
• M sends to V boxes filled with garbage, except
  for the boxes of u and v, colored as follows

c
d
C ?R 1,2,3
d ?R 1,2,3\c
u
v

• If V picks (u,v), M sends V their keys and
  the simulation is completed.

• Otherwise, the simulation fails.

44
Analysis of the Simulation

• For every G?G3C, the distribution of
• m(ltGgt) M(ltGgt) (M(ltGgt) ? ?) is
• identical to ltP,Vgt(ltGgt).
• Since V cant tell e from other edges by
• looking at the boxes, he picks e with
• probability 1/E, which can be increased
• to a constant by repeating M sufficiently
• many times.
• So if the boxes are perfectly sealed,
• G3C?PZK. ?

45
ZK for Finding square modulo n

• Input x2 modulo n .
• output x modulo n.
• The prover need to prove that he know the output.

46
ZK for Finding square modulo n (cont.)

• (P1) P find two large prime number p,q,
• where npq. He also choose randomly
• r ?n, n4.
• P send n, x2 mod n and r2 mod n to V.
• (V1) V has two possibilities
• (a) Ask r. check the value of r2 mod n.
• (b) Ask for x r. check the value of x2 r2 mod n

47
Analysis of the Protocol - square modulo n

• Soundness If P does not know x, then in
• probability of 50 V will catch him, if we
• will run this several times we will get the V
• will reject in probability larger then 2/3.
• Completeness If P know x, V always accept.

48
Analysis of the Protocol - square modulo n (cont.)

• This protocol is computational ZK.
• The Protocol give the value x2 mod n but the
  verifier can't calculate x from it .
• If the verifier ask option 1 from the prover, he
  get no additional info.
• If the verifier ask option 2 from the prover, he
  get xr which is random.

49
CO-NP ? ZK

• In order to prove the above its enough to show
  that CO-NP complete problem is in IP
• We will show that CO-SAT belongs to IP.
• Than we can show that CO-SAT belongs to ZK.
• Reminder CO-SAT means that there are no truth
  assignment for an equation.
• We can treat it as a specific case of proving
  that for an equation there are exactly K truth
  assignments (In this case , K0)

50
CO-SAT ? IP

• Lemma
• 1. ?(x1,x2,x3,,Xn) has exactly Kn truth
  assignments ? ? k0,k1 Knk0k1
• 2. ?(0,x2,x3,Xn) ?0(x2,x3,Xn) has exactly k0
  truth assignments
• 3. ?(1,x2,x3,Xn) ?1(x2,x3,Xn) has exactly k1
  truth assignments
• Informal explanation
• By setting a variable in the original equations
  we create a new equation with a special relation
  to the original one.
• Each new equation must have a specific number of
  assignments which can be pre-calculate.

51
CO-SAT ? IP

• We can now construct a solution based upon the
  previous lemma
• Prover will send verifier k0,k1 for ?(n)
• Verifier will check that for ?(n-1) , condition 1
  of lemma is true ( Knk0k1)
• Verifier will create randomly a new equation
  ?(n1), by assigning 1 or 0 to the first variable
  of ?n
• If we assign 1 , the number of solutions should
  be K0 , otherwise k0
• Verifier will send to prover the new equation

52
CO-SAT ? IP

• Now prover will send the new k0n,k1n for the new
  ?(n1)
• Verifier remember previous k1 and can check if
  k1k0nk1n , so the prover cannot cheat him
• Each stage we reduced one variable from equation
  by assign a value to it
• Now lets prove completeness soundness

53
CO-SAT ? IP

• Completeness
• If prover does not cheat , each new equation will
  have the appropriate relation to the previous one
  and verifier will be convinced
• Soundness
• If prover cheat i.e. send k0 as a false one, the
  new equation should be based upon assignment of 0
  to first element in order to see it (remember
  that we check only one of k0/k1 its deepened
  on the assignment). We have a probability of ½ to
  do this , and we should always peek the right
  assignment down the road. Total probability (in
  the worst case) is (½)n
• Huston, we have a problem ! ( no soundness )

54
CO-SAT ? IP, Solution 2

• We will expand the range variables of ? to a
  field (F) such that F gt (2)n
• Each variable can get now not just 0 or 1 but a
  value from the field
• We will construct a new equation ?
• F?0 , T? positive integer
• ? , ? ?
• (p)?p , (p) ?1-p
• (pq)?p?q , (p?q)? ((p q))

55
CO-SAT ?IP, Solution 2

• We got now ? that is a polynomial of (x1,,Xn)
  over field F.
• Prover should now prove that
• Note that
• 1. Number of root for p1(0)p1(1) p0(?).
• 2. Polynomials have the same number of roots for
  ? ? p1(?)-p2(?) 0

56
CO-SAT ? IP, Solution 2

• Prover will send the polynom P1, and the number
  of roots (K) for this polynom
• Verifier will check that Kp1(0)p1(1), choose a
  random value ??F and send it to prover
• Prover will now construct a new polynom P2
  P1(?), calculate the number of roots for the new
  one and send it to verfier
• This process continue until all variable has been
  assign (2n iterations)

57
CO-SAT ? IP, Solution 2

• Completeness is clear.
• Soundness
• In order to lie , the prover should send the
  verifier a false polynom. This polynom should
  have the same roots as the correct one. Since we
  have a field of elements ,The probability for
  this is n/F. The probability not found this is
  (1-n/F) gt 2/3
• We proved that CO-NP is in IP

58
CO-NP ? ZK

• Its enough to show that CO-SAT is in ZK
• The problem in the previous solution is that the
  verifier can see each stage the solution of the
  previous.
• He can use it to get some other information from
  prover

59
CO-SAT ? ZK

• The prover can now send the polynom in an
  envelops , just like in G3C
• The verifier should now check that the prover has
  not mislead him
• We have got now a new problem How can we open
  the envelops without gaining any information from
  the prover

60
CO-SAT ? ZK

• The problem of opening an envelops is in NP ,
  since the oracle can guess the keys and we can
  verify in a polynomial time that indeed we have
  the appropriate keys
• Since NP ? ZK , we can now make a reduction and
  solve the above problem
• CO-SAT ? ZK ? CO-NP ? ZK !