1 / 35

Zero Knowledge Proofs

Zero Knowledge Proofs. Interactive proof. An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:. Interactive proof.

daniel_millan
Download Presentation

Zero Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero Knowledge Proofs

  2. Interactive proof • An Interactive Proof System for a language L is a two-party game between a verifierand a prover that interact on a common input in a way satisfying the following properties:

  3. Interactive proof • The verifier’s strategy is a probabilistic polynomial-time procedure. • Correctness requirements: • Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3. • Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.

  4. Zero Knowledge Proof • Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds • {<P,V*>(x)}xL  {M*(x)}xL • Machine M* is called the simulator for the interaction of V* with P.

  5. Perfect Zero Knowledge • Definition: • Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xLand{M*(x)}xLare identical, i.e., {<P,V*>(x)}xL  {M*(x)}xL

  6. Statistical Zero Knowledge • Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xLarestatistically close.

  7. Statistical Zero Knowledge • Definition-cont.: • The distribution ensembles {Ax}xLand{Bx}xLare statistically close or have negligible variation distance if for every polynomial p(•) there exits integer N such that for every xL with |x|  N holds: |Pr [Ax = ] – Pr [Bx = ]|  p(|x|)-1

  8. Computational Zero Knowledge • Definition: Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xLare computationally indistinguishable.

  9. Computational Zero Knowledge • Definition: • Two ensembles {Ax}xLand{Bx}xL are • computationally indistinguishable if for • every probabilistic polynomial time • distinguisher D and for every polynomial p(•) • there exists an integer N such that for every • xL with |x|  N holds • |Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]|  p(|x|)-1

  10. Graph Isomorphism problem • Definition • Graph Isomorphism two graphs G0=(V0,E0) and G1 =(V1, G1) are isomorphic   permutation  • s.t •  (u,v) E0( (u), (v))  E1 • if G0and G1 are isomorphic and  is an isomorphism between G0 to G1 we write G1 = (G0) .

  11. Graph Isomorphism problem • Graph Isomorphism problem: Given Two Graphs G1 and G2 – Are They Isomorphic ? • Lemma: GI ZK • Proof: Zero Knowledge Interactive Proof for GI.

  12. Zero Knowledge Interactive proof for Graph Isomorphism • 1. Repeat the following n times: • 2. The Prover chooses a random permutation  of (1…n) and computes H=(G1) and send it to the verifier. • 3. The verifier chooses randomly i=1 or 2 and sends it to the prover.

  13. Zero Knowledge Interactive proof for Graph Isomorphism-cont. • 4. The prover chooses permutation  s.t H = (Gi). • If i=1 the prover sends  to the verifier otherwise the prover will send  -1 .( is the isomorphism between G1 and G2. • 5. The verifier checks if H is the image of Gi under . • 6. The verifier accepts if H is the image of Gi in all n rounds.

  14. Zero Knowledge Interactive proof for Graph Isomorphism-cont. Prover Verifier  H= (G1) i=1,2 R  or  -1 Checks if H is the image of Gi

  15. Building simulator M* for graph isomorphism problem • We will define simulator M* as follows: • Input:(G0, G1)  ISO • 1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*. • 2. Randomly chooses a {0,1} and permutation  and construct H= (Ga) send H to V* .

  16. Building simulator M* for graph isomorphism problem • 3. Receive b from V* . • If b {0,1} then outputs {RANDOM,H,b} and STOP. • If a =b then outputs {RANDOM,H,b, } and STOP;else GOTO 1 .

  17. Zero-Knowledge Password Proofs • 1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier • 2. r is a random number belongs to [n, n4].The prover sends x2 modn and r2 modn to the verifier. • 3. The verifier then randomly asks for r or xr and checks the prover.

  18. Zero-Knowledge Password Proofs Prover Verifier n=pq x2 modn r2 modn Asks for xr or r xr or r Checks the Prover

  19. NP and Zero Knowledge proofs • Lemma: NPZK • Proof: 3colZK .

  20. Zero Knowledge proof for 3col problem • 1. The prover randomly chooses a permutation . Computes (c(v)), puts in envelopes and sends to the verifier. • 2. The verifier chooses randomly: • (u,v) Eand opens the envelope. • If the colors are different and legal he answers “yes”.

  21. Zero Knowledge proof for 3col problem Prover Verifier permutation . (c(v)) Chooses (u,v) E envelope Checks that colors are different

  22. ZK protocol for Co-SAT • Transform the CNF to a polynom by these transformation rules: • 1. T  positive value • 2. F  0 • 3. Xi  Xi • 3. Xi  (1-Xi) • 4. OR  + • 5. AND  •

  23. ZK protocol for Co-SAT • The protocol: • 1. The prover selects a prime number q > 2n • 3m and sends to the verifier. • 2. The verifier checks that q is prime. If q isn’t prime halts and rejects.

  24. ZK protocol for Co-SAT • 3. V0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom Pi that it’s rank is at most m . • The construction of Pi : • P1(x)= xn=0,1….  xn=0,1p(x1… xn) • P2(x)= xn=0,1….  xn=0,1p(r1,x, x3… xn) • Pn(x)=p(r1,... Rn-1, xn) the prover puts polynom Pi in envelopes and send to the verifier.

  25. ZK protocol for Co-SAT • 4. The prover moves to the next stage(i=i+1). • 5. We know that the verifier will accept • if  r1… ri … rn s.t Pi(0) + Pi(1)= vi -1modq. • Since checking each assignment is polynomial this problem is in NP . • We can now do a reduction from any NP problem to 3col ZK .

  26. ZK protocol for Graph non isomorphism • Definition • Graph non Isomorphism given two graphs G0=(V0,E0) and G1 =(V1, G1) . • (G0,G1 )GNI  • there is no permutation  • s.t •  (u,v) E0( (u), (v))  E1

  27. ZK protocol for Graph non isomorphism • 1. The verifier chooses randomly a number i (0,1) . The verifier chooses a random permutation  and computes H =  (Gi). Then the verifier chooses randomly j (0,1) . The verifier creates the pair of graphs (H0, H1) such that: • if j=0: • H0 is a permutation of G0 • H1 is a permutation of G1

  28. ZK protocol for Graph non isomorphism • if j=1: • H0 is a permutation of G1 • H1 is apermutation of G0 • the verifier sends H and the pair (H0, H1).

  29. ZK protocol for Graph non isomorphism • 2. The prover chooses randomly • b (0,1) . The prover sends b to the verifier . • If b=0 then the verifier sends the prover the isomorphism between (G0, G1) and (H0, H1). • If b=1 the verifier sends the prover the isomorphism between H and (H0, H1) .

  30. ZK protocol for Graph non isomorphism • 3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that Gb is isomorphic to H and sends b to V . If there is no such b , the prover sends a random b. • 4. The verifier accepts if j=b.

  31. ZK protocol for Graph non isomorphism Prover Verifier 1. i (0,1) 2.H =  (Gi) 3. H and the pair (H0, H1) 1.Isomorphism between (G0, G1) and (H0, H1). OR 2.Isomorphism between (H0, H1) and H. Check isomorphism computes b checks that j=b

  32. ZK protocol for Graph non isomorphism • Lemma: GNI  PZK • Proof : building M* • s.t {<P,V*>(x)}xL  {M*(x)}xL • 1. The machine M* takes random string of bits and puts ot on a Random tape.

  33. ZK protocol for Graph non isomorphism • Mv* does the following n times: • 2. Mv* waits to get H and the pair (H0, H1) from V* . • 3. Mv* chooses a random b . • 4. Mv* gets from V* the isomorphism between H and (H0, H1) and (G0, G1). Mv* checks if it is not the right isomorphism it stops.

  34. ZK protocol for Graph non isomorphism • Otherwise:1. Returns V* to the point after H and • (H0, H1) were received. • 2. choose b’ again and sends to V* • 3. Waits to get I’ from V* • I’- isomorphism received from V*.

  35. ZK protocol for Graph non isomorphism • If b’b then the Mv*finds isomorphism from I and I’, from G0,G1 to (H0, H1) and from (H0, H1) to H. The machine uses this information to find Isomorphism from H to G0 , G1. • 4. The machine Mv*uses this informationto compute V* and sends it to V*.

More Related