Michael O. Rabin Harvard University Hebrew University

1 / 34

# Michael O. Rabin Harvard University Hebrew University - PowerPoint PPT Presentation

Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems. Michael O. Rabin Harvard University Hebrew University. Algorithmic Game Theory Hebrew University May 23, 2011. Motivation, Applications New Zero Knowledge Proofs Next Steps.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Michael O. Rabin Harvard University Hebrew University' - ion

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems

Michael O. Rabin

Harvard University

Hebrew University

Algorithmic Game Theory

Hebrew University

May 23, 2011

Motivation, Applications
• New Zero Knowledge Proofs
• Next Steps

Hospitals/Residents - Continued

• Every ResidentRanks Hospitals:

Etc…

Stable Matching

• No Pair Hospital-Resident So That:

Prefers

Prefers

Over

Stable Matching – The Data

1

L

H …………. H

• Resident : ………….

i

1

M

R ………….……. R

( i )

( j )

( j )

( i )

• Hospital : ………….…….

j

y

X

y

X

L

1

M

1

• Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.

Secrecy And Correctness

• Hospitals Do Not Want Residents To Know Their Rankings.
• Residents Want Their Hospital Rankings Kept Secret.
• Everybody Wants Assurance Of Correctness Of Announced Matchings.

( j )

( i )

( i )

( j )

X

X

y

y

s

t

m

n

• Challenge: Proving Statements Such As:

< , <

While Keeping Values Secret.

Existing Technologies

• Varieties of Zero-Knowledge Proofs and Arguments:
• Proving x ∈ L – an NP language
• Proving circuit satisfiability (at the bit level)
• Using homomorphic encryption to prove statements about encrypted values
• The method of obfuscated circuits (A. Yao)
• Multiparty computations, hiding inputs, intermediate results

Our Approach

We work directly with numbers x,y,z∈ Fp, p prime, say p~264. No need to go down to the bit/gate level or work with heavy homomorphic encryptions.

A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in Fp and verification of correctness of results of such computations.

Generalized Straight-Line Computations

Let x1,…,xn be inputs from P1,…,Pn.

An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: xL , xL+1 ), etc.

x1, x2, …, xn, xn+1, …, xL = fL(x1,…,xn).

xL+1= fL+1(x1,…,xn), etc. (1)

For all m > n, ∃i, j < m such that xm= xi + xj (mod p), or xmor xm = xi × xj (mod p) or xm = (xi <= xj). More general computations treatable.

Posting And Proving Correctness of Results

• The Evaluator Prover (EP) posts the results
• (outputs):
• xL = fL(x1,…,xn), xL+1= fL+1(x1,…,xn), etc.
• The EP posts a ZK Proof of the correctness of the results
• The proof of correctness is checked by a Verifier VER interacting with the EP

Flow of Proof/Verification

• EP creates proof
• Presents Proof to Verifier VER
• VER challenges: EP
• EP responds: VER
• VER checks correctness of responses

C1, C2, …

R1, R2, …

Our Magical Solution

Values x ∈ {0,1,..,p-1} = Zp, prime p ~ 264, +, ×, mod p

Random representations:

RR(x) = X = (u,v), val(X) = (u+v) mod p = x

u R {0,1,…,p-1}, v = (x-u) mod p

COM(X) = (COM(u),COM(v))

Evaluator Prover needs to ZKP statements such as

val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z),

val(X) <= val(Y)

Commitment To Values

G is a group, |G| = p.

g1 generator, g2= g1m, m=logg1(g2)

Assume: Discrete Log Problem for G intractable

Given u ϵFp r [0,p-1]

Define: COM(u,r)=g1rg2u

COM is information theoretically hiding; computationally binding.

In practice, commitment is made using encryption E( , )

(say 128-bit key AES)

COM(u) = E(K, u)

Decommit/Open: reveal key K

R

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)

Claim:val(X)+val(Y)=val(Z) (3)

Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3

(3) True iff ∃ r ∈ Fps.t. X+Y=Z+(r,-r)

EP reveals r

VER c {1,2}, send to EP say c=1

EP reveals u1,u2,u3 (or if c=2; v1, v2, v3)

VER checks u1+u2=u3+r (or v1+v2=v3-r)

Prob( (3) false and check succeeds) ≤ 1/2

R

Illustration of the Method
• p=17
• x=7, y=7, x+y=z=14
• X=(3,4), Y=(15,9), Z=(8,6)
• CLAIM: val(X)+val(Y) = val(Z)

8

10

3

15

-10

6

4

9

Z

Y

X

Illustration of the Method
• p=17
• x=7, y=7, x+y=z=14
• X=(3,4), Y=(15,9), Z=(8,6)

Auc posts (10,-10). Verifier: c R {1,2}

10

8

3

15

c=1

6

4

9

Z

Y

X

• Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc be posted
• EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc
• Correctness of sequence of additions can be simultaneously proved/verified as above.
• If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed.
• Prob( check succeeds but even one addition false ) ≤ 1/2

Amplification of Confidence

• EP posts k “Translations” of the proof of sequence of same additions
• COM(X(i)), COM(Y(i)), COM(W(i)), COM(U(i)), COM(Z(i)), etc for 1 <= i <= k
• where val(X(1)) = … = val(X(k))
• val(Y(1)) = … = val(Y(k)) etc
• VER creates k independent Challenges
• c1,…,ck {1,2}
• EP reveals all coordinates ci in Translation i
• Prob( all checks succeed while even one addition false) ≤ 1/2k

R

Proof/Verification of Multiplication

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)

Claim: val(X) × val(Y) = val(Z) (4)

Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3

EP creates Z(0) = (u1 × u2, v1 × v2), Z(1) = (u1 × v2 + r1, -r1), Z(2) = (u2 × v1+ r2, -r2) where r1 , r2 Fp

Clearly, (4) true iff val(Z) = val(Z(0)) + val(Z(1)) + val(Z(2))

EP posts COM(Z(0)), COM(Z(1)), COM(Z(2))

VER tests correctness of one of the constructions of Z(0), Z(1), Z(2)

R

• A Translation TR of a GSLC will include a number of additions and a number of multiplications
• VER will randomly decide whether to check correctness of all additions or correctness of all multiplications
• If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z(0), Z(1), or Z(2) to check for correctness. Same aspect for all multiplications.

Amplification of Confidence

Main Theorem: if EP constructs and posts k Translations TR(1),…,TR(k) of a GSLC and if for every TR(i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z(1) with probability 1/4, and correctness of all Z(2) with probability 1/4, then

Prob(All checks correct and posted computation results incorrect) < (3/4)k

Comment: correctness of structure of all Z(0) is done together with correctness of additions.

Proving 0 ≤ x ≤ B for B < p/2

B is explicitly given integer. If we prove 0 ≤x,y≤ B and 0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y.

Let b2 be a bound on possible bid values.

Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b).

How do we get rid of the first possibility?

Lagrange proved that every integer x = z12 + z22 + z32 + z42. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 232, Schorn’s Python implementation computed 60,000 representations in 1 second.

Proving 0 ≤ x ≤ B for B < p/2

[CS03] proposed using Lagrange in the context of proving range statements for encrypted numbers.

We apply Lagrange + [RS86] in our context of GSLCs.

Given 0 ≤ x ≤ b2 < p/32, the EP computes z1,…,z4 such that x = z12 + z22 + z32 + z42. Each zi is between 0 and b. The numbers x, z1, …, x4 are represented as usual in a translation TR by pairs X, Z1, …, Z4.

EP incorporates in the GSLC steps for enabling verification that -b ≤val(Zi) ≤ 2b and that val(X) = val(Z1)2 + … + val(Z4)2. This implies 0 ≤ x ≤ 16b2 = B. Now 32b2 < p, i.e. 16b2 < p/2.

New Challenge - Solved

• Proving Announced matching is stable involves statements:

⌐ [ ( < ) ^ ( < ) ]

• Without Revealing TruthValue ( < ),
• TruthValue ( < ).

( s )

( i )

( i )

( i )

( i )

( s )

( s )

( s )

X

y

X

X

X

y

y

y

• EP can ZKP for posted COM(x), COM(y), COM(z) that:

m

m

t

s

t

s

i

i

1 Val(x) < Val(y)

Val(Z) =

0 else

Form of k-Translations Proof

P1, …, Pn have submitted to EP values x1, …. xn

Form of proof created by EP:

TR(1) = COM(X1(1)), … , COM(Xn(1)), ... , (translation of GSLC program)

TR(k) = COM(X1(k)), … , COM(Xn(k)), ... , (translation of GSLC program)

How can VER ascertain that val(Xj(1)) = … = val(Xj(k)) = xj

1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x1, …. xn

P1…Pn submit Inputs x1 … xn to EP

• Pi , 1 ≤i≤ n, prepares 3k random representations Y1(i), … , Y3k(i) of his value xi.
• Pi submits commitments COM(Y1(i)), … , COM(Y3k(i)) to the EP
• Purpose of multiple representations of value xi to enable EP to prepare multiple Translations of GSLC
• EP posts all commitments from all Pi , 1 ≤i≤ n.
Secure Bulletin Board

COM(Y1(1)), COM(Y2(1)), … , COM(Y3k(1))

COM(Y1(2)), COM(Y2(2)), … , COM(Y3k(2))

COM(Y1(n)), COM(Y2(n)), … , COM(Y3k(n))

• Every Pi opens (reveals) Y1(i), … , Y3k(i) to EP
• EP chooses L (say L = 10)
• EP constructs additional 6kL = m columns
• COM(X1(1)), COM(X2(1)), … , COM(Xm(1))
• COM(X1(2)), COM(X2(2)), … , COM(Xm(2)) (5)
• COM(X1(n)), COM(X2(n)), … , COM(Xm(n))

Proving Value Consistency

• Interactively with VER, EP proves
• In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent.
• By definition, the common 2k majority of values in row i is Pi’s input xi.
• In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix.
• The interactive proof involves all input representations and 3kL columns of the matrix (5).
• The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.

Assurance of Proof of Value Consistency

• Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then:
• Prob(VER accepts proof) ≤ 1/2k

Implementing EP by secure processor

One possibility for an EP is a secure processor (SP) assumed to accept inputs and post results and proofs of correctness according to the previous protocols.

No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness.

Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x1 through randomness employed in construction of a translation.

Solution: Use another secure processor RSP – a universal source of randomness.

Experimental Results

Comparing 100-bidder secrecy-preserving Vickrey auction using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ 2128.

Matching Problems (H. Varian)

Entities: E1, … , Ek; candidates: C1, …, Cm

E1 preference list: Ci1, …, Cim

C1 preference list: Ej1, …, Ejk

etc.

Preference Lists: Secret

EP computes stable matching

can ZK prove correctness