210 likes | 231 Views
Multi-Party Proofs and Computation. Based in part on materials from Cornell class CS 4830. Interactive Proofs. A prover must convince a verifier that some statement is true. Typically the prover is thought of as all powerful, while the verifier has limited computational ability.
E N D
Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.
Interactive Proofs A prover must convince a verifier that some statement is true. Typically the prover is thought of as all powerful, while the verifier has limited computational ability. The verifier doesn’t trust the prover.
Sudoku How can the prover convince the verifier that this puzzle has a solution?
Interactive Proof Prover shows the verifier a solution. Verifier checks every row, column, 3x3 box.
Pepsi Challenge Professor Maggs claims that he can distinguish Pepsi from Coke without ever making an error. How can this claim be verified?
Experiment: Shengbao: Randomly decides (with equal probability) on Coke or Pepsi and hands the professor a glass containing the chosen drink. Professor: Takes a sip of the drink and pronounces “Coke” or “Pepsi”. Shengbao: Notes whether the pronouncement was correct, and repeats.
Verifying the Claim Suppose that the professor can actually only correcty identify a Coke or a Pepsi with probability p. After t trials, the probability that the professor gets the answer correctly every time is pt. Example, for p = 0.9, t = 100, pt < 0.00003
Zero-Knowledge Proof Prover wants to convince verifier that some statement is true, without revealing anything about the proof. Rewording: prover wants to convince verifier that prover knows a solution to a problem without revealing any information about the solution.
Hamilton Path A graph has a Hamilton path if there is a path through the graph that visits every vertex exactly once. 1 5 2 6 4 3 7
Zero-Knowledge Proof Prover: • Draw the graph on a piece of cardboard with vertices positioned at random places. Don’t write down the labels, 1,…,n, of the vertices. • Cover everything in the drawing except the vertices with scratch-off paint. • Give the cardboard to the verifier
Verification The verifier flips an unbiased random coin, then based on the outcome asks the prover to do one of two things: 1: Scratch off all the paint and then label the vertices. The verifier then checks that the drawn graph matches the original input graph. 2: Scratch off just enough paint to reveal the edges of a Hamilton path. The verifier then knows that the drawn graph is Hamiltonian. If the graph is Hamiltonian, the prover always succeeds. If the graph is not Hamiltonian, the prover fails with probability ½.
Zero Knowledge The verifier never learns anything about the Hamilton path. Revealing a labeled drawing of the graph provides no new information. 2 1 4 5 6 7 3
Zero Knowledge Revealing a path, but no other edges, connecting n unlabeled vertices at random positions provides no new information.
Note that Hamilton Path is NP-complete, i.e., every other problem in NP can be reduced to Hamilton Path ZKP for Hamilton Path → ZKP for all NP!
How to flip a coin over the Internet 1. First party chooses a random number X in the range [0-2256) publishes A := H(X) 2. Second party likewise chooses a number Y publishes B := H(Y) 3. After receiving A,B, both parties reveal X and Y If (X+Y) is even, first party wins. What if first party waits to see H(Y) before choosing X? What if first party tries to change X after seeing Y?
Computing Average Salary n professors in a room would like to compute their average salary, but they do not wish to reveal their salary to others. in fact, they do not wish to reveal their salary to any coalition of n-2professors.
Collusion Suppose prof3 through profn collude. What can they learn about the salaries of prof1 and prof2? They can deduce s1 + s2 from the sum, but this in inherent in the computation. They have shares r1,3 through r1,n and r2,3 through r2,n They can deduce r1,1+r1,2+r2,1+r2,2 from the shares they have and s1 + s2 But they can’t deduce s1 or s2 to an accuracy greater than r1,1+r1,2+r2,1+r2,2
Two-Party Secure AND Computation Alice and Bob wish to know whether they mutually have feelings for each other. • If both have feelings for the other, great! • If Alice loves Bob but Bob does not love Alice back, Alice will be embarrassed -- she would not want Bob to know that she loves Bob (or vice versa)
Securely computing AND truth table A B AND 0 0 0 0 1 0 1 0 0 1 1 1 both learn the others’ input by definition Bob does not learn which case Alice does not learn which case
Protocol • place Alice’s input cards, heart, Bob’s input cards in order, face down • shuffle (cycle shift) • reveal