Practical
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

Michael O. Rabin Harvard University Hebrew University PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on
  • Presentation posted in: General

Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems. Michael O. Rabin Harvard University Hebrew University. Algorithmic Game Theory Hebrew University May 23, 2011. Motivation, Applications New Zero Knowledge Proofs Next Steps.

Download Presentation

Michael O. Rabin Harvard University Hebrew University

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Michael o rabin harvard university hebrew university

Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems

Michael O. Rabin

Harvard University

Hebrew University

Algorithmic Game Theory

Hebrew University

May 23, 2011


Michael o rabin harvard university hebrew university

  • Motivation, Applications

  • New Zero Knowledge Proofs

  • Next Steps


Michael o rabin harvard university hebrew university

Stable Matchings – Hospitals/Residents


Michael o rabin harvard university hebrew university

Hospitals/Residents - Continued

  • Every ResidentRanks Hospitals:

Etc…


Michael o rabin harvard university hebrew university

Stable Matching

  • No Pair Hospital-Resident So That:

Prefers

Prefers

Over


Michael o rabin harvard university hebrew university

Stable Matching – The Data

1

L

H …………. H

  • Resident : ………….

i

1

M

R ………….……. R

( i )

( j )

( j )

( i )

  • Hospital : ………….…….

j

y

X

y

X

L

1

M

1

  • Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.


Michael o rabin harvard university hebrew university

Secrecy And Correctness

  • Hospitals Do Not Want Residents To Know Their Rankings.

  • Residents Want Their Hospital Rankings Kept Secret.

  • Everybody Wants Assurance Of Correctness Of Announced Matchings.

( j )

( i )

( i )

( j )

X

X

y

y

s

t

m

n

  • Challenge: Proving Statements Such As:

< , <

While Keeping Values Secret.


Michael o rabin harvard university hebrew university

Existing Technologies

  • Varieties of Zero-Knowledge Proofs and Arguments:

  • Proving x ∈ L – an NP language

  • Proving circuit satisfiability (at the bit level)

  • Using homomorphic encryption to prove statements about encrypted values

  • The method of obfuscated circuits (A. Yao)

  • Multiparty computations, hiding inputs, intermediate results


Michael o rabin harvard university hebrew university

Our Approach

We work directly with numbers x,y,z∈ Fp, p prime, say p~264. No need to go down to the bit/gate level or work with heavy homomorphic encryptions.

A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in Fp and verification of correctness of results of such computations.


Michael o rabin harvard university hebrew university

Generalized Straight-Line Computations

Let x1,…,xn be inputs from P1,…,Pn.

An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: xL , xL+1 ), etc.

x1, x2, …, xn, xn+1, …, xL = fL(x1,…,xn).

xL+1= fL+1(x1,…,xn), etc. (1)

For all m > n, ∃i, j < m such that xm= xi + xj (mod p), or xmor xm = xi × xj (mod p) or xm = (xi <= xj). More general computations treatable.


Michael o rabin harvard university hebrew university

Posting And Proving Correctness of Results

  • The Evaluator Prover (EP) posts the results

  • (outputs):

  • xL = fL(x1,…,xn), xL+1= fL+1(x1,…,xn), etc.

  • The EP posts a ZK Proof of the correctness of the results

  • The proof of correctness is checked by a Verifier VER interacting with the EP


Michael o rabin harvard university hebrew university

Flow of Proof/Verification

  • EP creates proof

  • Presents Proof to Verifier VER

  • VER challenges: EP

  • EP responds: VER

  • VER checks correctness of responses

C1, C2, …

R1, R2, …


Michael o rabin harvard university hebrew university

Our Magical Solution

Values x ∈ {0,1,..,p-1} = Zp, prime p ~ 264, +, ×, mod p

Random representations:

RR(x) = X = (u,v), val(X) = (u+v) mod p = x

u R {0,1,…,p-1}, v = (x-u) mod p

COM(X) = (COM(u),COM(v))

Evaluator Prover needs to ZKP statements such as

val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z),

val(X) <= val(Y)


Michael o rabin harvard university hebrew university

Commitment To Values

G is a group, |G| = p.

g1 generator, g2= g1m, m=logg1(g2)

Assume: Discrete Log Problem for G intractable

Given u ϵFp r [0,p-1]

Define: COM(u,r)=g1rg2u

COM is information theoretically hiding; computationally binding.

In practice, commitment is made using encryption E( , )

(say 128-bit key AES)

COM(u) = E(K, u)

Decommit/Open: reveal key K

R


Michael o rabin harvard university hebrew university

Proof/Verification of Addition

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)

Claim:val(X)+val(Y)=val(Z) (3)

Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3

(3) True iff ∃ r ∈ Fps.t. X+Y=Z+(r,-r)

EP reveals r

VER c {1,2}, send to EPsay c=1

EP reveals u1,u2,u3 (or if c=2; v1, v2, v3)

VER checks u1+u2=u3+r (or v1+v2=v3-r)

Prob( (3) false and check succeeds) ≤ 1/2

R


Illustration of the method

Illustration of the Method

  • Addition

    • p=17

    • x=7, y=7, x+y=z=14

    • X=(3,4), Y=(15,9), Z=(8,6)

    • CLAIM: val(X)+val(Y) = val(Z)

8

10

3

15

-10

6

4

9

Z

Y

X


Illustration of the method1

Illustration of the Method

  • Addition

    • p=17

    • x=7, y=7, x+y=z=14

    • X=(3,4), Y=(15,9), Z=(8,6)

      Auc posts (10,-10). Verifier: c R {1,2}

10

8

3

15

c=1

6

4

9

Z

Y

X


Michael o rabin harvard university hebrew university

Sequence of Additions

  • Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc be posted

  • EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc

  • Correctness of sequence of additions can be simultaneously proved/verified as above.

  • If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed.

  • Prob( check succeeds but even one addition false ) ≤ 1/2


Michael o rabin harvard university hebrew university

Amplification of Confidence

  • EP posts k “Translations” of the proof of sequence of same additions

  • COM(X(i)), COM(Y(i)), COM(W(i)), COM(U(i)), COM(Z(i)), etc for 1 <= i <= k

  • where val(X(1)) = … = val(X(k))

  • val(Y(1)) = … = val(Y(k)) etc

  • VER creates k independent Challenges

    • c1,…,ck {1,2}

  • EP reveals all coordinates ci in Translation i

  • Prob( all checks succeed while even one addition false) ≤ 1/2k

R


Michael o rabin harvard university hebrew university

Proof/Verification of Multiplication

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)

Claim: val(X) × val(Y) = val(Z) (4)

Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3

EP creates Z(0) = (u1 × u2, v1 × v2), Z(1) = (u1 × v2 + r1, -r1), Z(2) = (u2 × v1+ r2, -r2) where r1 , r2 Fp

Clearly, (4) true iff val(Z) = val(Z(0)) + val(Z(1)) + val(Z(2))

EP posts COM(Z(0)), COM(Z(1)), COM(Z(2))

VER tests correctness of one of the constructions of Z(0), Z(1), Z(2)

R


Michael o rabin harvard university hebrew university

Sequence of Additions & Multiplications

  • A Translation TR of a GSLC will include a number of additions and a number of multiplications

  • VER will randomly decide whether to check correctness of all additions or correctness of all multiplications

  • If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z(0), Z(1), or Z(2) to check for correctness. Same aspect for all multiplications.


Michael o rabin harvard university hebrew university

Amplification of Confidence

Main Theorem: if EP constructs and posts k Translations TR(1),…,TR(k) of a GSLC and if for every TR(i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z(1) with probability 1/4, and correctness of all Z(2) with probability 1/4, then

Prob(All checks correct and posted computation results incorrect) < (3/4)k

Comment: correctness of structure of all Z(0) is done together with correctness of additions.


Michael o rabin harvard university hebrew university

Proving 0 ≤ x ≤ B for B < p/2

B is explicitly given integer. If we prove 0 ≤x,y≤ B and 0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y.

Let b2 be a bound on possible bid values.

Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b).

How do we get rid of the first possibility?

Lagrange proved that every integer x = z12 + z22 + z32 + z42. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 232, Schorn’s Python implementation computed 60,000 representations in 1 second.


Michael o rabin harvard university hebrew university

Proving 0 ≤ x ≤ B for B < p/2

[CS03] proposed using Lagrange in the context of proving range statements for encrypted numbers.

We apply Lagrange + [RS86] in our context of GSLCs.

Given 0 ≤ x ≤ b2 < p/32, the EP computes z1,…,z4 such that x = z12 + z22 + z32 + z42. Each zi is between 0 and b. The numbers x, z1, …, x4 are represented as usual in a translation TR by pairs X, Z1, …, Z4.

EP incorporates in the GSLC steps for enabling verification that -b ≤val(Zi) ≤ 2b and that val(X) = val(Z1)2 + … + val(Z4)2. This implies 0 ≤ x ≤ 16b2 = B. Now 32b2 < p, i.e. 16b2 < p/2.


Michael o rabin harvard university hebrew university

New Challenge - Solved

  • Proving Announced matching is stable involves statements:

⌐ [ ( < ) ^ ( < ) ]

  • Without Revealing TruthValue ( < ),

  • TruthValue ( < ).

( s )

( i )

( i )

( i )

( i )

( s )

( s )

( s )

X

y

X

X

X

y

y

y

  • EP can ZKP for posted COM(x), COM(y), COM(z) that:

m

m

t

s

t

s

i

i

1 Val(x) < Val(y)

Val(Z) =

0 else


Michael o rabin harvard university hebrew university

Form of k-Translations Proof

P1, …, Pn have submitted to EP values x1, …. xn

Form of proof created by EP:

TR(1) = COM(X1(1)), … , COM(Xn(1)), ... , (translation of GSLC program)

TR(k) = COM(X1(k)), … , COM(Xn(k)), ... , (translation of GSLC program)

How can VER ascertain that val(Xj(1)) = … = val(Xj(k)) = xj

1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x1, …. xn


Michael o rabin harvard university hebrew university

P1…Pn submit Inputs x1 … xn to EP

  • Pi , 1 ≤i≤ n, prepares 3k random representations Y1(i), … , Y3k(i) of his value xi.

  • Pi submits commitments COM(Y1(i)), … , COM(Y3k(i)) to the EP

  • Purpose of multiple representations of value xi to enable EP to prepare multiple Translations of GSLC

  • EP posts all commitments from all Pi , 1 ≤i≤ n.


Secure bulletin board

Secure Bulletin Board

COM(Y1(1)), COM(Y2(1)),… , COM(Y3k(1))

COM(Y1(2)), COM(Y2(2)),… , COM(Y3k(2))

COM(Y1(n)), COM(Y2(n)),… , COM(Y3k(n))


Michael o rabin harvard university hebrew university

Creating Additional Input Value Representations

  • Every Pi opens (reveals) Y1(i), … , Y3k(i) to EP

  • EP chooses L (say L = 10)

  • EP constructs additional 6kL = m columns

  • COM(X1(1)), COM(X2(1)),… , COM(Xm(1))

  • COM(X1(2)), COM(X2(2)),… , COM(Xm(2))(5)

  • COM(X1(n)), COM(X2(n)),… , COM(Xm(n))


Michael o rabin harvard university hebrew university

Proving Value Consistency

  • Interactively with VER, EP proves

    • In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent.

    • By definition, the common 2k majority of values in row i is Pi’s input xi.

    • In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix.

    • The interactive proof involves all input representations and 3kL columns of the matrix (5).

    • The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.


Michael o rabin harvard university hebrew university

Assurance of Proof of Value Consistency

  • Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then:

  • Prob(VER accepts proof) ≤ 1/2k


Michael o rabin harvard university hebrew university

Implementing EP by secure processor

One possibility for an EP is a secure processor (SP) assumed to accept inputs and post results and proofs of correctness according to the previous protocols.

No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness.

Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x1 through randomness employed in construction of a translation.

Solution: Use another secure processor RSP – a universal source of randomness.


Michael o rabin harvard university hebrew university

Experimental Results

Comparing 100-bidder secrecy-preserving Vickrey auction using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ 2128.


Michael o rabin harvard university hebrew university

Matching Problems (H. Varian)

Entities: E1, … , Ek; candidates: C1, …, Cm

E1 preference list: Ci1, …, Cim

C1 preference list: Ej1, …, Ejk

etc.

Preference Lists: Secret

EP computes stable matching

can ZK prove correctness


  • Login