370 likes | 644 Views
Zero Knowledge Proofs. Interactive proof. An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:. Interactive proof .
E N D
Interactive proof • An Interactive Proof System for a language L is a two-party game between a verifierand a prover that interact on a common input in a way satisfying the following properties:
Interactive proof • The verifier’s strategy is a probabilistic polynomial-time procedure. • Correctness requirements: • Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3. • Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.
Zero Knowledge Proof • Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds • {<P,V*>(x)}xL {M*(x)}xL • Machine M* is called the simulator for the interaction of V* with P.
Perfect Zero Knowledge • Definition: • Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xLand{M*(x)}xLare identical, i.e., {<P,V*>(x)}xL {M*(x)}xL
Statistical Zero Knowledge • Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xLarestatistically close.
Statistical Zero Knowledge • Definition-cont.: • The distribution ensembles {Ax}xLand{Bx}xLare statistically close or have negligible variation distance if for every polynomial p(•) there exits integer N such that for every xL with |x| N holds: |Pr [Ax = ] – Pr [Bx = ]| p(|x|)-1
Computational Zero Knowledge • Definition: Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xLare computationally indistinguishable.
Computational Zero Knowledge • Definition: • Two ensembles {Ax}xLand{Bx}xL are • computationally indistinguishable if for • every probabilistic polynomial time • distinguisher D and for every polynomial p(•) • there exists an integer N such that for every • xL with |x| N holds • |Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]| p(|x|)-1
Graph Isomorphism problem • Definition • Graph Isomorphism two graphs G0=(V0,E0) and G1 =(V1, G1) are isomorphic permutation • s.t • (u,v) E0( (u), (v)) E1 • if G0and G1 are isomorphic and is an isomorphism between G0 to G1 we write G1 = (G0) .
Graph Isomorphism problem • Graph Isomorphism problem: Given Two Graphs G1 and G2 – Are They Isomorphic ? • Lemma: GI ZK • Proof: Zero Knowledge Interactive Proof for GI.
Zero Knowledge Interactive proof for Graph Isomorphism • 1. Repeat the following n times: • 2. The Prover chooses a random permutation of (1…n) and computes H=(G1) and send it to the verifier. • 3. The verifier chooses randomly i=1 or 2 and sends it to the prover.
Zero Knowledge Interactive proof for Graph Isomorphism-cont. • 4. The prover chooses permutation s.t H = (Gi). • If i=1 the prover sends to the verifier otherwise the prover will send -1 .( is the isomorphism between G1 and G2. • 5. The verifier checks if H is the image of Gi under . • 6. The verifier accepts if H is the image of Gi in all n rounds.
Zero Knowledge Interactive proof for Graph Isomorphism-cont. Prover Verifier H= (G1) i=1,2 R or -1 Checks if H is the image of Gi
Building simulator M* for graph isomorphism problem • We will define simulator M* as follows: • Input:(G0, G1) ISO • 1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*. • 2. Randomly chooses a {0,1} and permutation and construct H= (Ga) send H to V* .
Building simulator M* for graph isomorphism problem • 3. Receive b from V* . • If b {0,1} then outputs {RANDOM,H,b} and STOP. • If a =b then outputs {RANDOM,H,b, } and STOP;else GOTO 1 .
Zero-Knowledge Password Proofs • 1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier • 2. r is a random number belongs to [n, n4].The prover sends x2 modn and r2 modn to the verifier. • 3. The verifier then randomly asks for r or xr and checks the prover.
Zero-Knowledge Password Proofs Prover Verifier n=pq x2 modn r2 modn Asks for xr or r xr or r Checks the Prover
NP and Zero Knowledge proofs • Lemma: NPZK • Proof: 3colZK .
Zero Knowledge proof for 3col problem • 1. The prover randomly chooses a permutation . Computes (c(v)), puts in envelopes and sends to the verifier. • 2. The verifier chooses randomly: • (u,v) Eand opens the envelope. • If the colors are different and legal he answers “yes”.
Zero Knowledge proof for 3col problem Prover Verifier permutation . (c(v)) Chooses (u,v) E envelope Checks that colors are different
ZK protocol for Co-SAT • Transform the CNF to a polynom by these transformation rules: • 1. T positive value • 2. F 0 • 3. Xi Xi • 3. Xi (1-Xi) • 4. OR + • 5. AND •
ZK protocol for Co-SAT • The protocol: • 1. The prover selects a prime number q > 2n • 3m and sends to the verifier. • 2. The verifier checks that q is prime. If q isn’t prime halts and rejects.
ZK protocol for Co-SAT • 3. V0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom Pi that it’s rank is at most m . • The construction of Pi : • P1(x)= xn=0,1…. xn=0,1p(x1… xn) • P2(x)= xn=0,1…. xn=0,1p(r1,x, x3… xn) • Pn(x)=p(r1,... Rn-1, xn) the prover puts polynom Pi in envelopes and send to the verifier.
ZK protocol for Co-SAT • 4. The prover moves to the next stage(i=i+1). • 5. We know that the verifier will accept • if r1… ri … rn s.t Pi(0) + Pi(1)= vi -1modq. • Since checking each assignment is polynomial this problem is in NP . • We can now do a reduction from any NP problem to 3col ZK .
ZK protocol for Graph non isomorphism • Definition • Graph non Isomorphism given two graphs G0=(V0,E0) and G1 =(V1, G1) . • (G0,G1 )GNI • there is no permutation • s.t • (u,v) E0( (u), (v)) E1
ZK protocol for Graph non isomorphism • 1. The verifier chooses randomly a number i (0,1) . The verifier chooses a random permutation and computes H = (Gi). Then the verifier chooses randomly j (0,1) . The verifier creates the pair of graphs (H0, H1) such that: • if j=0: • H0 is a permutation of G0 • H1 is a permutation of G1
ZK protocol for Graph non isomorphism • if j=1: • H0 is a permutation of G1 • H1 is apermutation of G0 • the verifier sends H and the pair (H0, H1).
ZK protocol for Graph non isomorphism • 2. The prover chooses randomly • b (0,1) . The prover sends b to the verifier . • If b=0 then the verifier sends the prover the isomorphism between (G0, G1) and (H0, H1). • If b=1 the verifier sends the prover the isomorphism between H and (H0, H1) .
ZK protocol for Graph non isomorphism • 3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that Gb is isomorphic to H and sends b to V . If there is no such b , the prover sends a random b. • 4. The verifier accepts if j=b.
ZK protocol for Graph non isomorphism Prover Verifier 1. i (0,1) 2.H = (Gi) 3. H and the pair (H0, H1) 1.Isomorphism between (G0, G1) and (H0, H1). OR 2.Isomorphism between (H0, H1) and H. Check isomorphism computes b checks that j=b
ZK protocol for Graph non isomorphism • Lemma: GNI PZK • Proof : building M* • s.t {<P,V*>(x)}xL {M*(x)}xL • 1. The machine M* takes random string of bits and puts ot on a Random tape.
ZK protocol for Graph non isomorphism • Mv* does the following n times: • 2. Mv* waits to get H and the pair (H0, H1) from V* . • 3. Mv* chooses a random b . • 4. Mv* gets from V* the isomorphism between H and (H0, H1) and (G0, G1). Mv* checks if it is not the right isomorphism it stops.
ZK protocol for Graph non isomorphism • Otherwise:1. Returns V* to the point after H and • (H0, H1) were received. • 2. choose b’ again and sends to V* • 3. Waits to get I’ from V* • I’- isomorphism received from V*.
ZK protocol for Graph non isomorphism • If b’b then the Mv*finds isomorphism from I and I’, from G0,G1 to (H0, H1) and from (H0, H1) to H. The machine uses this information to find Isomorphism from H to G0 , G1. • 4. The machine Mv*uses this informationto compute V* and sends it to V*.