ZERO-KNOWLEDGE (INTRO)
ALON ROSEN IDC HERZLIYA
BIU WINTER SCHOOL | February 2019 Zero-knowledge proofs
Prover 푃 Verifier 푉
푃 interacts with 푉 convincing him that a proposition is true
Interaction reveals nothing beyond validity of the proposition
If proposition is true, any 푉∗ might as well have generated (simulated) the interaction on his own
Avoids the question “what is knowledge?” altogether! Example: color non-blindness
I can distinguish the balls
Did I swap? Example: color non-blindness
He swapped… Example: color non-blindness
Damn…
You Swapped!
• 푉’s “view”: a random bit that equals his “swap or not” bit • 푉 could simulate view by picking random bit on his own! What is zero-knowledge good for?
Can prove that I know a secret without having to reveal it
Identification: 1. Alice publishes 푦 = 푓(푥) 2. Alice proves to Bob in ZK that she knows 푥′ ∈ 푓−1(푦)
Protocol design: 1. Design against parties that follow instructions 2. Use ZK proof to force honest behavior
“trusted party” → protocol Why zero-knowledge?
Remarkable definitional framework: • At the heart of protocol design and analysis • Brings to light key concepts and issues
Right level of abstraction: • Simple enough to be studied/realized • Feasibility/limitations delineate what is attainable
ZK is just a means to an end
• Weaker definitions are also useful (WI/WH/NIZK) • Tension between modularity and efficiency Proof Systems What is a proof?
A method for establishing truth: 1. legal 2. authoritative 3. scientific 4. philosophical 5. mathematical 휋 Axioms → → ⋯ → Propositions
6. probabilistic, interactive Proof Systems
Want to prove: 푥 ∈ 퐿 for some language 퐿 ⊆ Σ∗ 휋 V
퐿 = 푥 | ∃휋, 푉(푥, 휋) = ACCEPT
Definition: A proof system for membership in 퐿 is an algorithm 푉 such that ∀푥: Completeness: If 푥 ∈ 퐿, then ∃휋, V(푥, 휋) = ACCEPT Soundness: If 푥 ∉ 퐿, then ∀휋, V(푥, 휋) = REJECT NP Proof Systems
efficient verification ⟺ poly-time verification
Definition: An NP proof system for membership in L is an algorithm 푉 such that ∀푥: Completeness: If 푥 ∈ 퐿, then ∃휋, V(푥, 휋) = ACCEPT Soundness: If 푥 ∉ 퐿, then ∀휋, V(푥, 휋) = REJECT Efficiency: V(푥, 휋) halts after at most 푝표푙푦(|푥|) steps
• 푉′s running time is measured in terms of 푥 , the length of 푥 • poly 푥 = 푥 푐 for some constant 푐 • Necessarily, 휋 = 푝표푙푦 푥 Example I: Boolean Satisfiability
푆퐴푇 = 휙|휙 is a satisfiable Boolean formula
푛 푆퐴푇 = 휙 푤1, … , 푤푛 | ∃푤 ∈ 0,1 , 휙 푤 = 1
휋 = 푤 ? 휙 ∈ 푆퐴푇: V 휙 푤 = 1
Complete: every 퐿 ∈ 푁푃 reduces to 푆퐴푇 Unstructured: 푒푥푝(푂(푛)) time (worst case). Example II: Linear Equations
퐿퐼푁 = 퐴, 푏 |퐴푤 = 푏 ℎ푎푠 푎 푠표푙푢푡𝑖표푛 표푣푒푟 픽
휋 = 푤 ? 퐴, 푏 ∈ 퐿퐼푁: V 퐴푤 = 푏 푒푥푝 푛 many 푤’s
Structured: decidable in time O 푛2.373 = 푝표푙푦(푛) The class P
poly-time ⟺ efficient
Definition: 퐿 ∈ P if there is a poly-time algorithm 퐴 such that 퐿 = 푥 | 퐴(푥) = ACCEPT
푆퐴푇 NP complete NP 퐿퐼푁 P
BPP: 퐴 is probabilistic poly-time (푃푃푇) and errs w.p. ≤ 1/3 Example III: Quadratic Residuosity
푄푅푁 = 푥| 푥 𝑖푠 푎 푞푢푎푑푟푎푡𝑖푐 푟푒푠𝑖푑푢푒 푚표푑 푁
? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁
∗ Structured: 푄푅푁 is a subgroup of ℤ푁
푁 = 푃푄 푃 = 푄 = 푛 : 푒푥푝 푂෨ 푛1/3 time (avg. case) Summary so far
efficient verification ⟺ poly-time verification
푆퐴푇 NP complete NP
퐿퐼푁 P 푄푅푁 Proving non-membership?
퐴, 푏 ∉ 퐿퐼푁? decidable in time poly(푛)
? 푤1, … , 푤2푛 휙 ∉ 푆퐴푇: V ∀𝑖, 휙 푤푖 = 0
푤1, … , 푤φ(푁) ? ∀𝑖, 푥 ≢ 푤2 푚표푑 푁 푥 ∉ 푄푅푁 : V 푖
Naïve proof is exponentially large
[GMR’85]: allow proof to use • Randomness (tolerate “error”) • Interaction (add a “prover”) Interactive Proofs Interactive proof for 푄푅푁 [GMR’85]
P 푥 ∉ 푄푅푁 V 푧 = 푦2 푏 = 0 푏 ∈푅 0,1 ∗ 푧 = 푥푦2 푏 = 1 푦 ∈푅 ℤ푁
푏′ 푧 = 0 푧 ∈ 푄푅 ? 푁 푏′ = 푏 푏′ 푧 = 1 푧 ∉ 푄푅푁
2 2 Completeness: 푥 ∉ 푄푅푁 → 푦 ∈ 푄푅푁 and 푥푦 ∉ 푄푅푁
2 2 Soundness: 푥 ∈ 푄푅푁 → 푦 ∈ 푄푅푁 and 푥푦 ∈ 푄푅푁
∗ ∗ ∀푃 , 푃푟푏 푃 푧 = 푏 = 1/2 Interactive Proof
P 푥 ∈ 퐿 V 푝표푙푦( 푥 ) 푚1 푟 ∈푅 0,1
푚2 ⋮
푚푘 ACCEPT/REJECT
푉 is probabilistic polynomial time (푃푃푇) For any common input 푥, let:
푃푟 푃, 푉 accepts 푥 ≜ 푃푟푟 푃, 푉 푥, 푟 = ACCEPT Interactive Proof Systems
Definition [GMR’85]: An interactive proof system for 퐿 is a 푃푃푇 algorithm 푉 and a function 푃 such that ∀푥: Completeness: If 푥 ∈ 퐿, then 푃푟 푃, 푉 accepts 푥 ≥ 2/3 Soundness: If 푥 ∉ 퐿, then ∀푃∗, 푃푟 푃∗, 푉 accepts 푥 ≤ 1/3
• Completeness and soundness can be bounded by any 푐: ℕ → [0,1] and 푠: ℕ → [0,1] as long as
• 푐 푥 ≥ 1/2 + 1/푝표푙푦( 푥 ) • 푠 푥 ≤ 1/2 − 1/푝표푙푦( 푥 ) • 푝표푙푦( 푥 ) independent repetitions → 푐 푥 − 푠 푥 ≥ 1 − 2−푝표푙푦 푥 • NP is a special case (푐 푥 = 1 and 푠 푥 = 0) • BPP is a special case (no interaction) The Power of IP
Proposition: 푄푅푁 ∈ IP
• NP proof for 푄푅푁 not self-evident • This suggests that maybe NP ⊂ IP • Turns out that 푆퐴푇 ∈ IP (in fact #푆퐴푇)
Theorem [LFKN’90]: 푃#P ⊆ IP
Theorem [Shamir’90]: IP = PSPACE The power of IP
IP = PSPACE [S’90] #푆퐴푇 [LFKN’90]
푆퐴푇 푆퐴푇 NPc coNPc
NP coNP P
퐿퐼푁 푄푅푁 Zero-Knowledge A Proof that (presumably) Does Leak Info
푄푅푁 = 푥| 푥 𝑖푠 푎 푞푢푎푑푟푎푡𝑖푐 푟푒푠𝑖푑푢푒 푚표푑 푁
? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁
• Generating 휋 - 푒푥푝(푂෨ 푛1/3 time • Verifying - O 푛2 time
푉 “got something for free” from seeing 휋 푉 may have not been able to find 푤 on his own! Defining that “no knowledge leaked”
Some attempts: • 푉 didn’t learn 푤 (sometimes good enough!) • 푉 didn’t learn any symbol of 푤 • 푉 didn’t learn any information about 푤 • 푉 didn’t learn any information at all (beyond 푥 ∈ 퐿)
When would we say that 푉 did learn something? If following the interaction 푉 could compute something he could have not computed without it!
Zero-knowledge: whatever is computed following interaction could have been computed without it Zero-Knowledge (at last)
푉’s view = 푉’s random coins and messages it receives
∀푥 ∈ 퐿, 푉’s view can be efficiently “simulated”
What does this mean? Philosophically: 푉 is given the information that 푥 ∈ 퐿 Modulo this, 푉 might as well have talked to himself
Technically: 푉 view ≅ 푉 simulation Whatever 푉 could compute following the interaction, he could have computed even without talking to 푃, by running the simulator on his own 푉 might as well talk to himself
P 푥 ∈ 퐿 V 푝표푙푦( 푥 ) 푚1 푟 ∈푅Bah.0 Forget,1 it. I will just simulate. 푚2 ⋮
푚푘
푉 푥, 푟, 푚1, … , 푚푘 ↓ 푉 sim(푥) Honest Verifier Zero-Knowledge
푉’s view distribution can be simulated in poly-time • We will allow simulator 푆 to be probabilistic (푃푃푇) • Efficient ⟺ Probabilistic poly-time (BPP instead of P)
Definition [GMR’85]: An interactive proof 푃, 푉 for 퐿 is (honest-verifier) zero-knowledge if ∃푃푃푇 푆 ∀푥 ∈ 퐿
푆 푥 ≅ 푃, 푉 푥
• We use 푃, 푉 푥 to denote 푉’s view • Usually 푃, 푉 푥 = 푉 view denotes 푉’s output • Simulator for 푉’s view implies simulator for 푉’s output Sanity check
? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁
2 • ∀푥 ∈ 푄푅푁, 푆 푥 ≡ 푥 푚표푑 푁 2 • ∀푥 ∉ 푄푅푁, 푆 푥 ≢ 푥 푚표푑 푁 2 • 푄푅푁 ∉ 퐵푃푃 → 푆 푥 ≢ 푥 푚표푑 푁 for some 푥 ∈ 푄푅푁
푃, 푉 for 퐿 is not (honest-verifier) zero-knowledge if ∀ 푃푃푇 푆 ∃푥 ∈ 퐿 so that 푆 푥 ≇ 푃, 푉 푥 A Zero-Knowledge proof for 푄푅푁
2 푥 = 푤 푚표푑 푁 P 푥 ∈ 푄푅푁 V
∗ 2 푟 ∈푅 ℤ푁 푦 = 푟
푏 푏 ∈푅 0,1 ? 푏 = 0: 푧 = 푟 푧2 = 푦 ? 푏 = 1: 푧 = 푤푟 푧2 = 푥푦
• 푃 is randomized and has auxiliary input 푤 • Distribution of V’s “view” 푃 푤 , 푉 푥 : uniformly random 푦, 푏, 푧 such that 푧2 = 푥푏푦 A Zero-Knowledge proof for 푄푅푁
Claim: 푃, 푉 is an interactive proof for 푄푅푁
* P V Soundness: 푦 = 푟2 푥 ∈ 푄푅푁 ↕ 푏 ∃푦, 푦 ∈ 푄푅푁 and 푥푦 ∈ 푄푅푁
2 If 푃푟 푃∗,푉 accepts 푥 > 1/2 푏 = 0: 푧0 = 푟 푧0 = 푦 푏 2 2 2 then both 푧0 = 푦 and 푧1 = 푥푦 푏 = 1: 푧1 = 푤푟 푧1 = 푥푦 Simulating 푉’s view
P V Simulator 푆 푥
∗ 푦 1. Sample 푧 ∈푅 ℤ푁 2. Sample 푏 ∈푅 0,1 2 푏 푏 3. Set 푦 = 푧 /푥 4. Output 푦, 푏, 푧 푧
random 푦,푏, 푧 such that 푧2 = 푥푏푦 ≅ random 푦,푏, 푧 such that 푧2 = 푥푏푦
Proposition: 푄푅푁 ∈ HVZK Simulating malicious 푉 ∗ ’s view
* P V Simulator 푆 푥 ∗ 1. Sample 푧 ∈푅 ℤ푁 푦 ∗ 2. Sample 푏 ∈푅 ℤ푁 3. Set 푦 = 푧2/푥푏 ∗ 푏 = 푉∗ 푦 4. If 푉 푦 = 푏 output 푦, 푏, 푧 5. Otherwise repeat 푧 푥 ∈ 푄푅푁 ↓ 피 #repetitions = 2
random 푦,푏, 푧 such that random 푦,푏, 푧 such that ≅ 푧2 = 푥푏푦 and 푏 = 푉∗ 푦 푧2 = 푥푏푦 and 푏 = 푉∗ 푦 Perfect Zero-Knowledge
Definition: An interactive proof system 푃, 푉 for 퐿 is perfect zero-knowledge if ∀푃푃푇 푉∗ ∃푃푃푇 푆 ∀푥 ∈ 퐿 푆 푥 ≅ 푃, 푉∗ 푥
Proposition: 푄푅푁 ∈ PZK
• Actually showed “black-box” ZK: ∃푃푃푇 푆 ∀푃푃푇 푉∗ ∀푥 ∈ 퐿 ∗ 푆푉 푥 ≅ 푃, 푉∗ 푥
• We allowed 푆 to run in expected polynomial time • Can we build 푆 with strict polynomial running time? Amplifying soundness P V* ∗ 푆푉 푥 keeps state of partial view
Repeat sequentially 푘 = 푝표푙푦 푥 times 피 time 푆 = 2 time 푉∗ ⋮ ACCEPT iff all repetitions are accepting
−푝표푙푦 푥 Proposition: 푄푅푁 ∈ PZK w/ soundness error 2 Parallel repetition V* ⋯
∗ 피 time 푆푉 = 2푘 time 푉∗
Later: • Black-box impossibility • 푉∗ whose view cannot be efficiently simulated Auxiliary input and Composition IP for 푄푅푁 is not ZK
P 푥 ∉ 푄푅푁 V Not ZK wrt “auxiliary input”
푧 = 푦2 푏 = 0 푉∗ 푧 : use 푃 to decide if 푧 = 푥푦2 푏 = 1 푧 ∈ 푄푅푁
∗ 푏′ = 0 푧 ∈ 푄푅푁 푧 is 푉 ‘s auxiliary input
푏′ = 1 푧 ∉ 푄푅푁
Proposition: 푄푅푁 ∈ HVZK
Claim: 푃, 푉 is not 푍퐾 (wrt auxiliary input) ZK wrt auxiliary input
Definition: An interactive proof 푃, 푉 for 퐿 is (perfect) ZK wrt auxiliary input if ∀푃푃푇 푉∗ ∃푃푃푇 푆 ∀푥 ∈ 퐿 ∀푧 푆 푥, 푧 ≅ 푃, 푉∗ 푧 푥
• 푧 captures “context” in which protocol is executed • Other protocol executions (“environment”) • A-priori information (in particular about 푤) • Simulator is also given the auxiliary input 푧 • Simulator runs in time 푝표푙푦 푥 • Auxiliary input 푧 is essential for composition Sequential composition of ZK P * ∗ V 푃 푉1
Compose sequentially 푃 푉∗ 푘 = 푝표푙푦 푥 times 2
⋮ ∗ 푃 푉푘
∗ simulating view of each of 푉푖’s → simulating view of 푉 Sequential composition of ZK
Theorem: ZK is closed under sequential composition * P V(x,z) ∗ 푉1 푥, 푧 푉∗ 푆 1 푥,푧 = 풛ퟏ 푉∗ 푥, 푧, 풛 푉∗ 2 ퟏ 푆 2 푥, 푧, 풛ퟏ = 풛ퟐ ⋮ 푉∗ 푥, 푧, 풛 ,… , 풛 푉∗ 푘 ퟏ 풌−ퟏ 푆 푘 푥, 푧, 풛ퟏ,… , 풛풌−ퟏ = 풛풌 푉∗ 푆 푥, 푧 = 풛ퟏ, … , 풛풌
∗ ∀𝑖, 풛풊 ≅ 푃, 푉푖 푧, 풛ퟏ, … , 풛풊−ퟏ 푥 Summary
Defined: • NP, P, BPP, IP = PSPACE • PZK, HVZK Saw:
• 퐿퐼푁, 푄푅푁, 푆퐴푇 ∈ NP
• 푄푅푁 ∈ HVZK
• 푄푅푁 ∈ PZK
• 푄푅푁 ∈ HVZK • auxiliary input for ZK protocols • sequential composition of ZK protocols Food for Thought What if P=NP?
• If P = NP then all 퐿 ∈ NP can be proved in PZK • 푃 sends nothing to 푉, who decides 푥 ∈ 퐿 on his own • But what about ZK within P? • For instance against quadratic time verifiers?
Exercise: Suppose 휔 > 2. Construct an interactive proof for 퐿퐼푁 that is PZK for quadratic time verifiers
• An issue: composition. What about say 푛 executions? • In contrast, 푝표푙푦(푛) is closed under composition History
Shafi Goldwasser Silvio Micali Charlie Rackoff The End
Definition: An interactive proof system for 퐿 is a 푃푃푇 algorithm 푉 and a function 푃 such that ∀푥: Completeness: If 푥 ∈ 퐿, then 푃푟 푃, 푉 accepts 푥 ≥ 2/3 Soundness: If 푥 ∉ 퐿, then ∀푃∗, 푃푟 푃∗, 푉 accepts 푥 ≤ 1/3
Definition: 푃, 푉 for 퐿 is (perfect) ZK wrt auxiliary input if ∀푃푃푇 푉∗ ∃푃푃푇 푆 ∀푥 ∈ 퐿 ∀푧 푆 푥, 푧 ≅ 푃 푤 , 푉∗ 푧 푥