On the Existence of 3-Round Zero-Knowledge Proofs Matthew Lepinski
Total Page:16
File Type:pdf, Size:1020Kb
On the Existence of 3-Round Zero-Knowledge Proofs by Matthew Lepinski Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2002 © Massachusetts Institute of Technology 2002. All rights reserved. X, Author.. Department of Electricd Engineering and Computer Science November 2, 2001 Certified by.................. .............. Silvio Micali Professor Thesis Supervisor I Accepted by .... ........................ ......... Arthur C. Smith Chairman, Department Committee on Graduate Students BARKER MASSACHUSMlSiTTWRT OF TECHNOLOGY JUL 3 12002 LIBRARIES 2 On the Existence of 3-Round Zero-Knowledge Proofs by Matthew Lepinski Submitted to the Department of Electrical Engineering and Computer Science on November 2, 2001, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering Abstract Goldreich and Krawczyk proved that there do not exist 3-round black-box zero- knowledge proofs or arguments for languages outside BPP. In 1998, Hada and Tanaka used non-standard assumptions to provide a 3-round zero-knowledge argument for every language in NP which was not black-box zero-knowledge. We present a non- black-box simulatable 3-round zero-knowledge proof system for NP, which is secure even when the prover has unbounded computational resources. However, we require a non-standard assumption (similar to those used by Hada and Tanaka) in order to prove our protocol is zero-knowledge. Additionally, we provide a proof of knowledge framework in which to view this type of non-standard assumption. In this thesis, I designed and implemented a compiler which performs optimizations that reduce the number of low-level floating point operations necessary for a specific task; this involves the optimization of chains of floating point operations as well as the imple- mentation of a "fixed" point data type that allows some floating point operations to simulated with integer arithmetic. The source language of the compiler is a subset of C, and the destination language is assembly language for a micro-floating point CPU. An instruction-level simulator of the CPU was written to allow testing of the code. A series of test pieces of codes was compiled, both with and without optimization, to determine how effective these optimizations were. Thesis Supervisor: Silvio Micali Title: Professor 3 4 Acknowledgments I would like to thank my adviser, Silvio Micali for all of his assistance in producing this work. This material is based upon work supported under a National Science Foundation Graduate Research Fellowship. 5 6 Contents 1 Introduction 9 2 Notation 11 3 Background 13 3.1 Zero-Knowledge Proofs .......................... 13 3.2 Round Minimization in Zero-Knowledge Protocols ........... 15 3.3 The Protocol of Hada and Tanaka .................... 16 3.4 Blum's Zero-Knowledge Proof for Hamiltonian Cycle ......... 18 3.5 The Goldreich-Levin Theorem ...................... 20 4 Our Assumptions 21 4.1 Proofs of Knowledge ........................... 22 4.2 Our Proof of Knowledge Assumption .................. 24 5 Our Protocol 27 5.1 The Actual Protocol ........................... 27 5.2 Proof of Soundness ............................ 29 5.3 Proof of Zero-Knowledgeness .................. ..... 30 6 Conclusion 41 Bibliography 43 7 8 Chapter 1 Introduction A zero-knowledge proof system is a protocol which allows a prover to convince a verifier that a statement is true without providing the verifier with any additional information about the statement being proved. Zero-Knowledge proofs have seen much application in the design of cryptographic protocols. This is due in large part to the result by Goldreich, Micali and Wigderson[16] that there exists a zero-knowledge proof system for any language in NP. Additionally, work has been done to determine the minimum number messages which must be exchanged in order to complete a zero-knowledge proof ([10], [13], [12]). Of particular interest to us is a paper by Hada and Tanaka which provides a three round (three message) protocol for any language in NP which is proven to be zero-knowledge given a set of strong assumptions. This is significant because it is known that no two round zero-knowledge protocol exists for any language outside BPP.[13] We present a three round zero-knowledge proof system for any language in NP which is an improvement over the Hada-Tanaka protocol in two important ways. First, our protocol is secure even the prover has unbounded resources.1 Second, we assume the hardness of the discrete logarithm problem for a randomly chosen prime and generator instead of assuming the discrete logarithm problem is hard for every 'The Hada-Tanaka protocol is a zero-knowledge argument and not a zero-knowledge proof system since it is secure only if the prover is polynomially bounded 9 prime number of a certain form.2 Like the Hada-Tanaka paper we rely on a non- standard assumption which seems to be quite strong. In Chapter 2 we provide a summary of the notation that we use in this paper. In Chapter 3 we provide definitions and background from related work. In Chapter 4 we provide the assumptions which we need to prove our protocol correct. In Chapter 5 we provide our protocol and a proof that it is correct. 2 All of our hardness assumptions are with respect to a randomly chosen prime and generator. The Hada-Tanaka paper assumes that the discrete logarithm problem and the Diffie-Hellman problem are hard for every generator and for every prime which is one more than twice a prime. 10 Chapter 2 Notation Point of Notation 1 Let X and Y be distributions and let P(-, .) be a predicate then by Pr[x +- X; y *- Y : P(x, y)] we mean the probability that P(x, y) is true when x is drawn randomly from distribu- tion X and Y is drawn randomly from distribution Y. For any set S, let x <- S denote that x is drawn from the uniform distribution over S. Similarly for any randomized algorithm A, let x *- A(y) denote that x is drawn from the distribution induced by a random execution of algorithm A on input y. Point of Notation 2 When X and Y are distributions then [XY] denotes the distribution which produces pairs (x, y) where x is drawn from X and y is drawn from Y Point of Notation 3 When X and Y are distributions and A is a randomized al- gorithm then [x <-- X, y +- Y, A(x, y)] 11 denotes the distribution which produces triples (x, y, a) where x is drawn from X, y is drawn from Y and a is drawn from the distribution induced by a random execution of A on inputs x and y. Point of Notation 4 We denote the result of the interaction between A and B on common input x by the random variable [A(x) ++B(x)] e {accept,reject} Point of Notation 5 Let x, y E {O, 1}. Then by < x, y > we mean the inner product of x and y in the vector space Z2n. That is, <X,y>> xiyi mod2 where x2 is the ith bit of x. 12 Chapter 3 Background 3.1 Zero-Knowledge Proofs In their paper, "The Knowledge Complexity of Interactive Proofs", Goldwasser, Mi- cali and Rackoff[18] introduced the concept of a zero-knowledge proof system. In- formally a zero-knowledge proof system for a language, L, is an interactive protocol by which a prover can convince a verifier that a common input x is in L without providing V with any additional information. Definition 1 (Zero-Knowledge Proof System) A zero-knowledge proof system for a language, L, is a protocol for a prover, P, and a verifier, V, that satisfies the following three properties. 1 1. Completeness: For all x E L, Pr[[P(x) ++V(x)] = accept] = 1 1As done in [19] We present a non-uniform formulation of Zero-Knowledge in terms of cir- cuit families. Hada and Tanaka claim that non-uniform zero-knowledge is strictly weaker than the original GMR definition of zero-knowledge since one can construct protocols for which non-uniform simulators exist but uniform simulators do not. However, it is not clear whether one could construct protocols in which a non-uniform cheating verifier could extract knowledge but a uniform cheating verifier could not. A protocol of this type would satisfy the GMR definition of zero-knowledge, but not the non-uniform definition of zero-knowledge. 13 2. Soundness: For all circuit families P', for all c and for all sufficiently long strings x V L, 1 Pr[[P'(x) *-4 V(x)] = accept] < 3. Zero-Know ledgeness: For all polynomial size circuit families, V', there ex- ists a polynomial size circuit family, Sv', such that the probability ensembles {Sv'}xCL and VIEW([P(x) ++ V'(x)] are computationally indistinguishable. Where VIEW([P(x) +- V'(x)]) denotes the distribution over the random input of V' and the messages sent by P in a random interaction of P and V' with common input x. Property 3 above formalizes the notion that V' learns nothing from interacting with P besides the fact that x E L. So if V' already knew that x E L, V' could run Sv, and obtain a view which is indistinguishable from the view he would receive if he were to interact with the true prover. Thus, V' has no reason to interact with P other than to learn that x E L. One can also consider a modification to Property 3 in which instead of allowing a separate simulator for each cheating verifier, V', it is required that there exist a single simulator, S, which, when given black-box access to V', produces views which are indistinguishable from the views V' would receive when interacting with the true prover.