CS 127/CSCI E-127: Introduction to Cryptography

Prof. Salil Vadhan Fall 2013

Lecture Notes 20:

Zero-Knowledge Proofs

Reading.

• Katz-Lindell Ÿ14.6.0-14.6.4,14.7

1 Interactive Proofs

Motivation: how can parties in cryptographic protocols convince each other of facts (e.g. this encrypted bank statement shows that I have a balance of at least $10,000) without revealing secret information (e.g. the decryption key)?

1.1 Classical Proofs

Denition 1 An NP proof system for membership in a language L is an algorithm V such that

1. (Completeness) If x ∈ L, then there exists proof s.t. V (x, proof ) = accept.

2. (Soundness) If x∈ / L, then for all proof ∗, V (x, proof ∗) = reject.

3. (Eciency) V (x, proof ) runs in time poly(kxk).

• NP proofs inherently provide more knowledge than x ∈ L.

1.2 Interactive Proofs

• Two new ingredients: interaction and randomization. Instead of having the proof be a static object, we have a dynamic prover who interacts with the verier. The verier V is probabilistic and is allowed to make a small error probability.

• Interactive (2-party) protocol: A pair of algorithms (A, B) taking input, history, and coin tosses to next message, e.g. m1 = A(x; rA), m2 = B(x, m1; rB), m3 = A(x, m1, m2; rA), ...

Denition 2 An interactive proof for a language L is an interactive protocol (P,V ) such that 1. (Completeness) If x ∈ L, then V accepts in (P,V )(x, 1n) with probability at least 2/3.

2. (Soundness) If x∈ / L, then for all P ∗, V accepts in (P ∗,V )(x, 1n) with probability at most 1/3.

3. (Eciency) The total computation time of V and total communication in (P,V )(x, 1n) is at most poly(|x|, n).

• Eciency of honest prover P

1  Complexity theory: allow P to be computationally unbounded, and study the power of interactive proofs (IP) as compared to classical proofs (NP).  Cryptography: restrict to L ∈ NP, require P to be polynomial time given an NP proof w, and hope for additional properties not possible with NP proofs (namely, zero knowledge)

• Error probabilities can be made exponentially small in n by repetition as usual.

1.3 Quadratic Residuosity . • L = {(N, x): x ∈ QRN } How can we prove that without revealing a square root of ? • x ∈ QRN x • Idea: cut and choose  x ∈ QRN ⇔ ∃y y ∈ QRN ∧ xy ∈ QRN  Prover `cuts' by choosing random y, verier `chooses' which of the two statements should be proven.

Proof system for Quadratic Residuosity, on common input (N, x) and security param- eter 1n:

1. P : Let q be such that x = q2 mod N. (This is the NP proof w.)

2. : Choose R ∗ . P r ← ZN Send y = r2 mod N.

R 3. V : Choose and send b ← {0, 1}.

4. P : If b = 0, let s = r. If b = 1, let s = qr mod N. Send s to V .

5. V : If b = 0, accept if s2 ≡ y (mod N). If b = 1, accept if s2 ≡ xy (mod N).

Proposition 3 Above is an interactive proof for Quadratic Residuosity.

Proof:

2 2 Zero-Knowledge Proofs

• Intuitively, verier learns nothing in QR protocol: all verier sees is s, a random string in ∗ and either 2 or 2 . Zn y = s y = s /x • Simulation paradigm: verier learns nothing if it can generate everything it sees on its own, without interacting with prover.

Denition 4 (P,V ) is zero knowledge if for every PPT V ∗, there is a PPT S such that S(x, 1n) ∗ is computationally indistinguishable from (P (w),V ) n whenever and is a valid ViewV ∗ (x, 1 ) x ∈ L w ∗ proof for . Here (P (w),V ) n denotes ∗'s view of the interaction  all of the NP x ∈ L ViewV ∗ (x, 1 ) V ∗ messages exchanged and V 's coin tosses rV ∗ . Formally, for every PPT D, the probability that D wins in the following indistinguishability game is at most 1/2 + neg(n):

Theorem 5 Above proof system for Quadratic Residuosity is (perfect) zero knowledge.

Proof: We begin with a simulator for the honest verier strategy V . S(N, x, 1n): 1. Choose R ∗ . s ← ZN

R 2. Choose b ← {0, 1}. 3. If b = 0, let y = s2 mod N. If b = 1, let y = s2 · x−1 mod N.

4. Output (y, b, s; rV = b). How can we modify the simulator to handle a malicious verier strategy V ∗?

The proof system for Quadratic Residuosity is a special case of a Σ-protocol (see KL Ch. 14), where the challenge is 1-bit long. In KL it is shown that Σ-protocols are honest-verier zero knowledge (i.e. zero knowledge for veriers that follow the specied protocol). However, as above, they can shown to be zero knowledge even for malicious veriers when the challenge is short (namely, O(log n) bits).

3 Zero Knowledge for NP

Theorem 6 Every language in NP has a zero-knowledge proof.

⇒ can prove anything in zero knowledge, provided you have a short, eciently veriable wit- ness, e.g. • that c is an encryption of m with respect to pk.

• that the decryption of ci is the largest number among the decryptions of c1, . . . , cn. • that Fermat's Last Theorem has a proof of at most 200 pages.

3 An NP-complete problem: Graph 3-Coloring. • An (undirected) graph G = (W, E) is 3-colorable if there is a function C : W → {R,Y,B} such that for all (u, v) ∈ E, C(u) 6= C(v). • 3COL = {G : G is 3-colorable}. • For every L ∈ NP, there is a poly-time f such that x ∈ L ⇔ f(x) ∈ 3COL. • Moreover, given any NP proof system for L, we can choose f such that valid NP proofs for x ∈ L can be mapped in poly-time to valid 3-colorings of f(x).

Cut and Choose:   3COL V . • G ∈ ⇔ ∃C (u,v)∈E C(u) 6= C(v) • If we randomly permute the 3 colors, each pair (C(u),C(v)) for u 6= v reveals no information. • Have prover `commit' to randomized coloring C, verier pick a random edge.

Physical Zero-Knowledge Proof: See video.

Denition 7 A commitment scheme over message space S consists of a PPT key gener- M = n Mn n ation algorithm Gen(1 ) = k and a deterministic polynomial-time commitment algorithm Comk(m) (for m ∈ Mn) satisfying: R n • (Hiding) Infeasible to learn anything about m from ComK (m) for K ← {0, 1} . Formalized analogously to indistinguishable encryptions.

0 0 • (Binding) There do not exist m 6= m and k, k such that Comk(m) = Comk0 (m).

Zero-Knowledge Proof for Graph 3-Coloring

Common input: A graph G = (W, E) and a security parameter 1n. Prover's input: A valid 3-coloring C : W → {R,Y,B} (in case G ∈ 3COL)

1. P : Choose a permutation π : {R,Y,B} → {R,Y,B} uniformly at random, and set C0 = π ◦C. For every vertex , choose R n and send 0 to . w ∈ W kw ← {0, 1} zw = Comkw (C (w)) V

R 2. V : Choose an edge (u, v) ← E, and send (u, v) to P .

0 0 3. P : Check that (u, v) ∈ E, and if so send C (u), C (v), ku, kv to V . 4. : Accept if 0 0 , 0 and 0 . V C (u) 6= C (v) zu = Comku (C (u), ku) zv = Comkv (C (v))

Theorem 8 Above is a zero-knowledge proof for Graph 3-Coloring.

Proof:

• Perfect completeness. • Soundness error 1 − 1/|E|. Reduce by repetition.

4 Simulator SV ∗ , on input G = (W, E) and security parameter 1n:

R 1. Select (u, v) ← E.

2. Dene a coloring C0 by setting (C0(u),C0(v)) to be two random distinct colors in {R,Y,B}, and setting C0(w) = R for all other vertices w.

3. For every , choose R n, and set 0 . w ∈ W kw ← {0, 1} zw = Comkw (C (w))

∗ ∗ ∗ ∗ 4. Select random coin tosses rV ∗ for V , and let (u , v ) = V (G, {zw}w∈W ; rV ∗ ).

∗ ∗ 0 0 5. If (u , v ) 6= (u, v), output fail. Otherwise, output ({zw}w∈W , (u, v), (ku, kv,C (u),C (v)); rV ∗ ).

Claim 9 For every PPT V ∗ and G ∈ 3COL, we have

1. SV ∗ (G, 1n) succeeds with probability at least 1/|E| − neg(n), and

2. The output distribution of SV ∗ (G, 1n), conditioned on success, is computationally indistin- ∗ guishable from (P (C),V ) n . ViewV ∗ (G, 1 )

Repeat n · |E| times to eliminate failure.

Corollary 10 Every language in NP has a zero-knowledge proof.

5