230 likes | 378 Views
Zero-Knowledge Proofs. Ben Hosp. Classical Proofs. A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous demonstration that a statement is true or false. Classical Proof Systems.
E N D
Zero-Knowledge Proofs Ben Hosp
Classical Proofs • A proof is an argument for the truth or correctness of an assertion. • A classical proof is an unambiguous demonstration that a statement is true or false.
Classical Proof Systems • Suppose we have a language of assertions and proofs over some finite alphabet. • Let L be the language of true assertions, that is, assertions that have proofs. • We can define a classical proof system for L as an algorithm V such that: • True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. • The Completeness property. • False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. • The Soundness property • For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. • The Efficiency property.
Graph Isomorphism • G = ([n],E) • Perm(G) = ([n], E’) • E’ = {(Perm(u), Perm(v)): (u,v) is in E} • If there exists G,H such that Perm(G) = H, then G and H are isomorphic and Perm is an isomorphism between G and H.
Classical Proof System for Graph Isomorphism V(Graph G, Graph H, Permutation p) { if (p(G) == H) { // O(|[n]|) time return 1; // accept the proof; else { return 0; // reject the proof } }
NP • A review: NP is the class of problems which can be solved with a nondeterministic-polynomial algorithm. for each i in 1…answer.size G: answer[i] = guess(i); // magically provides the // next bit of the answer if (!verify(answer, i)) // checks that answer goto G; // is correct so far in end if // polynomial time end for
Classical Proofs are NP • So NP is exactly the class of languages with classical proof systems. • If we have an assertion, we can verify any proof for it in polynomial time. • The problem “Is x is in L” is in NP.
What Do You Learn From A Proof? • A lot more than the truth of an assertion. • You learn enough to convince others of the truth of that assertion. • The “classical” way to prove “There exists x...” is to provide an example of x. • What if you want to prove: • “There exists x” • “I know x” • Without telling you x or (ideally) any information about x.
Ali Baba’s Cave • There is a magic cave like this: • But Ali Baba knows there is a secret door here: • Ali Baba knows the cave is a loop, but no one else does.
Ali Baba’s Cave • How can Ali Baba prove to you that the magic door exists? • Classical proof would give away the secret. • But Ali Baba can convince you the door exists by having you watch him go down one tunnel and come out the other. • We need a new class of proofs.
Interactive Proofs • Interactive proofs are based on the interaction between a prover P with a verifier V. • P wants to prove something to the verifier. • An interaction protocol is a pair of functions mapping strings to strings. • In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. • In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response.
Probabilistic Proofs • Proofs based on interactive protocols are probabilistic. • There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. • We can define a probalistic proof system for L as an interactive protocol (P,V) such that: • For all x in the assertion language (P,V)(x) halts in polynomial time. • The Efficiency property. • If x is in L, then (P,V)(x) accepts with probability at least a. • The Completeness property. • If y is not in L, then (P,V)(x) accepts with probability at most b. • The Soundness property • Where 1 >= a > b >= 0 • We can repeat such a proof multiple times to make the chance of false positive or negative negligible.
IP • IP is the class of languages with Interactive (Probabilistic) proofs. • NP is a subset of IP • P can send V a classical proof to check • IP is thought to be a strict superset of NP
Graph Non-Isomorphism • No classical proof system is known for the question of whether graphs G and H are non-isomorphic. • We can check all possible permutations of G but this takes exponential time. • Observations on this problem: • Let ICP(G) be the set of isomorphic copies of the G. • If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. • If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. • Because ICP(G) = ICP(H)
Interactive Proof System for Graph Non-Isomorphism • Suppose we have G0=([n],E0) and G1=([n],E1). • V randomly selects C = G0 or G1, and a permutation p. V sends p(C) to P. • P determines whether p(C) is an isomorphic copy of G0 or G1, and sends that back to V. • If V receives the same graph as it chose, it accepts P’s proof that G0 and G1 are non-isomorphic, otherwise it rejects. • V has demonstrated the ability to tell the difference between elements of ICP(G0) and ICP(G1).
Zero-Knowledge Proofs • P is going to prove an assertion to V without giving V any information other than the truth of the assertion. • In other words, V can simulate a proof of the assertion and get something that is computationally indistinguishable from a proof V actually got from P. • V does not even learn enough to prove the assertion to another party.
NP is a subset of ZP • Every language with a classical proof system has a zero-knowledge proof system. • Consider the graph 3-coloring problem: • G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). • A classical proof that a graph has a 3-coloring is such a 3-coloring. • How can we prove a 3-coloring exists without revealing any information about it?
Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • V randomly chooses (x,y) in E and sends it to P. • P sends Cx and Cy to V. • V rejects if Cx = Cy and accepts otherwise.
Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • For each vertex v in [n], P encrypts it with a key Kv, and sends EKv(C(v)) to V. • V randomly chooses (x,y) in E and sends it to P. • P sends Kx and Ky to V. • V rejects if DKx(EKx(C(x))=DKy(EKy(C(y)), and accepts otherwise.
Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • P randomly chooses p, a permutation of {R,G,B}. Clearly p(C) = C’ is also a 3-coloring of G. • For each vertex v in [n], P encrypts it with a key Kv, and sends EKv(C’(v)) to V. • V randomly chooses (x,y) in E and sends it to P. • P sends Kx and Ky to V. • V rejects if DKx(EKx(C’(x))=DKy(EKy(C’(y)), and accepts otherwise.
Zero-Knowledge Proof System for Graph 3-coloring • Since p(C)=C’ is a proper 3-coloring of G, C’(x) will never equal C’(y) if x and y are adjacent. • If C is not a proper 3-coloring of G, C’(x) will sometimes equal C’(y) when x and y are adjacent. • We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. • V has learned whether a 3-coloring of G exists, but nothing about it. • The only information V has received from P is 2 distinct colors. • V could have generated that information on its own.