Foundation of Cryptography, Lecture 6 Interactive Proofs and Zero Knowledge

Home , PL (complexity), RL (complexity), SL (complexity)

Iftach Haitner, Tel Aviv University

Tel Aviv University.

April 23, 2014

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 1 / 37 Part I

Interactive Proofs

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 2 / 37 Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally

A proof system

NP as a Non-interactive Proofs

Deﬁnition 1 (NP) L ∈NP iff ∃ and poly-time algorithmV such that: ∀x ∈ L there exists w ∈ {0, 1}∗ s.t. V(x, w) = 1 V(x, w) = 0 for every x ∈/L and w ∈ {0, 1}∗ Only |x| counts for the running time ofV.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally

NP as a Non-interactive Proofs

A proof system

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 Soundness holds unconditionally

NP as a Non-interactive Proofs

A proof system

Efficient verifier, efficient prover (given the witness)

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 NP as a Non-interactive Proofs

A proof system

Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

Deﬁnition 2 (Interactive proof) A protocol (P, V) is an interactive proof for L, ifV is PPT and: a Completeness ∀x ∈ L, Pr[h(P, V)(x)iV = 1] ≥ 2/3. Soundness ∀x ∈/L , and any algorithmP ∗ ∗ Pr[h(P , V)(x)iV = 1] ≤ 1/3. IP is the class of languages that have interactive proofs.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

Interactive proofs Protocols between efﬁcient veriﬁer and unbounded provers.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P, V) is an interactive proof for L, ifV is PPT and: a Completeness ∀x ∈ L, Pr[h(P, V)(x)iV = 1] ≥ 2/3. Soundness ∀x ∈/L , and any algorithmP ∗ ∗ Pr[h(P , V)(x)iV = 1] ≤ 1/3. IP is the class of languages that have interactive proofs.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

IP = PSPACE!

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

IP = PSPACE! We typically consider (and achieve) perfect completeness.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input".

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P, V) is an interactive proof for L, ifV is PPT and: a Completeness ∀x ∈ L, Pr[h(P, V)(x)iV = 1] ≥ 2/3. Soundness ∀x ∈/L , and any algorithmP ∗ ∗ Pr[h(P , V)(x)iV = 1] ≤ 1/3. IP is the class of languages that have interactive proofs.

a h(A(a), B(b))(c)iB denoteB’s view in random execution of (A(a), B(b))(c).

IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efﬁcient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efﬁcient( PPT) provers. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Section 1

Interactive Proof for Graph Non-Isomorphism

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 5 / 37 GI = {(G0, G1): G0 ≡ G1} ∈NP

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ? We will show a simple interactive proof for GNI Idea: Beer tasting...

Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting...

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ? We will show a simple interactive proof for GNI

Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

GI = {(G0, G1): G0 ≡ G1} ∈NP

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting...

We will show a simple interactive proof for GNI

Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

GI = {(G0, G1): G0 ≡ G1} ∈NP

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting...

Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

GI = {(G0, G1): G0 ≡ G1} ∈NP

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ? We will show a simple interactive proof for GNI

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting...

Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

GI = {(G0, G1): G0 ≡ G1} ∈NP

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ? We will show a simple interactive proof for GNI

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Graph isomorphism

Πm – the set of all permutations from [m] to [m] Deﬁnition 3 (graph isomorphism)

GraphsG 0 = ([m], E0) andG 1 = ([m], E1) are isomorphic, denotedG 0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1.

GI = {(G0, G1): G0 ≡ G1} ∈NP

Does GNI = {(G0, G1): G0 6≡ G1} ∈NP ? We will show a simple interactive proof for GNI Idea: Beer tasting...

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Claim 5 The above protocol isIP for GNI, with perfect completeness and soundness 1 error 2 .

Interactive proof for GNI

Protocol 4 ((P, V))

Common input G0 = ([m], E0), G1 = ([m], E1)

a 1 V chooses b ← {0, 1} and π ← Πm, and sends π(Eb) toP. 2 P send b0 toV (tries to set b0 = b).

3 V accepts iff b0 = b.

aπ(E) = {(π(u), π(v):(u, v) ∈ E}.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 7 / 37 Interactive proof for GNI

Protocol 4 ((P, V))

Common input G0 = ([m], E0), G1 = ([m], E1)

a 1 V chooses b ← {0, 1} and π ← Πm, and sends π(Eb) toP. 2 P send b0 toV (tries to set b0 = b).

3 V accepts iff b0 = b.

aπ(E) = {(π(u), π(v):(u, v) ∈ E}.

Claim 5 The above protocol isIP for GNI, with perfect completeness and soundness 1 error 2 .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 7 / 37 ([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 . 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 ([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 . 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 . 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 . 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 Proving Claim5

Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

([m], π(Ei )) is a random element in [Gi ] — the equivalence class ofG i

Hence, 0 1 G0 ≡ G1: Pr[b = b] ≤ 2 . 0 G0 6≡ G1: Pr[b = b] = 1 (i.e.,P can, possibly inefﬁciently, extracted from π(Ei ))

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 8 / 37 Part II

Zero knowledge Proofs

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 9 / 37 Question 6 Can you prove you know where Waldo is without revealing his location?

Where is Waldo?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 10 / 37 Where is Waldo?

Question 6 Can you prove you know where Waldo is without revealing his location?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 10 / 37 What does it mean? Simulation paradigm.

The concept of zero knowledge

Proving w/o revealing any addition information.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 11 / 37 Simulation paradigm.

The concept of zero knowledge

Proving w/o revealing any addition information. What does it mean?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 11 / 37 The concept of zero knowledge

Proving w/o revealing any addition information. What does it mean? Simulation paradigm.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 11 / 37 1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

1 ZK is a property of the prover.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 5 Meaningful also for languages outside NP. 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 6 Auxiliary input. . .

Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

1 ZK is a property of the prover. 2 ZK only required to hold wrt. true statements. 3 Trivial to achieve for L ∈BPP . 4 The NP proof system is typically not zero knowledge. 5 Meaningful also for languages outside NP.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 Zero-knowledge proof Deﬁnition 7 (zero-knowledge proofs)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ PPT V∗, ∃ PPT S such that

∗ {h(P(w(x)), V )(x)iV∗ }x∈L ≈c {S(x)}x∈L.

for any function w with w(x) ∈ RL(x). Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 12 / 37 Section 2

Zero-Knowledge Proof for Graph Isomorphism

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 13 / 37 Protocol 8 ((P, V))

Common input: x = (G0 = ([m], E0), G1 = ([m], E1))

P’s input: a permutation π over [m] such that π(E1) = E0.

0 0 1 P chooses π ← Πm and sends E = π (E0) toV. 2 V sends b ← {0, 1} toP.

3 If b = 0,P sets π00 = π0, otherwise, it sends π00 = π0 ◦ π toV. 00 4 V accepts iff π (Eb) = E.

Claim 9

1 Protocol8 is a SZK for GI, with perfect completeness and soundness 2 .

ZK Proof for Graph Isomorphism

Idea: route ﬁnding

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 14 / 37 Claim 9

1 Protocol8 is a SZK for GI, with perfect completeness and soundness 2 .

ZK Proof for Graph Isomorphism

Idea: route ﬁnding

Protocol 8 ((P, V))

Common input: x = (G0 = ([m], E0), G1 = ([m], E1))

P’s input: a permutation π over [m] such that π(E1) = E0.

0 0 1 P chooses π ← Πm and sends E = π (E0) toV. 2 V sends b ← {0, 1} toP.

3 If b = 0,P sets π00 = π0, otherwise, it sends π00 = π0 ◦ π toV. 00 4 V accepts iff π (Eb) = E.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 14 / 37 ZK Proof for Graph Isomorphism

Idea: route ﬁnding

Protocol 8 ((P, V))

Common input: x = (G0 = ([m], E0), G1 = ([m], E1))

P’s input: a permutation π over [m] such that π(E1) = E0.

0 0 1 P chooses π ← Πm and sends E = π (E0) toV. 2 V sends b ← {0, 1} toP.

3 If b = 0,P sets π00 = π0, otherwise, it sends π00 = π0 ◦ π toV. 00 4 V accepts iff π (Eb) = E.

Claim 9

1 Protocol8 is a SZK for GI, with perfect completeness and soundness 2 .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 14 / 37 0 0 Soundness: If exist j ∈ {0, 1} for which @π ∈ Πm with π (Ej ) = E, thenV 1 rejects w.p. at least 2 . 1 AssumingV rejects w.p. less than 2 and let π0 and π1 be the values guaranteed by the above observation (i.e., mapping E0 and E1 to E respectively). −1 Then π0 (π1(E1)) = π0 =⇒ (G0, G1) ∈GI .

ZK: Idea – for (G0, G1) ∈GI , it is easy to generate a random transcript 1 for Steps 1–2, and to be able to open it with prob 2 .

Proving Claim9

Completeness: Clear

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 15 / 37 ZK: Idea – for (G0, G1) ∈GI , it is easy to generate a random transcript 1 for Steps 1–2, and to be able to open it with prob 2 .

Proving Claim9

Completeness: Clear 0 0 Soundness: If exist j ∈ {0, 1} for which @π ∈ Πm with π (Ej ) = E, thenV 1 rejects w.p. at least 2 . 1 AssumingV rejects w.p. less than 2 and let π0 and π1 be the values guaranteed by the above observation (i.e., mapping E0 and E1 to E respectively). −1 Then π0 (π1(E1)) = π0 =⇒ (G0, G1) ∈GI .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 15 / 37 Proving Claim9

ZK: Idea – for (G0, G1) ∈GI , it is easy to generate a random transcript 1 for Steps 1–2, and to be able to open it with prob 2 .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 15 / 37 Algorithm 10 (S)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times: 0 ∗ 1 Choose b ← {0, 1} and π ← Πm, and “send" π(Eb0 ) toV (x). 2 Let b beV ∗’s answer. If b = b0, send π toV ∗, outputV ∗’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1.

Abort.

Claim 11

∗ {h(P, V )(x)iV∗ }x∈GI ≈ {S(x)}x∈GI

Claim 11 implies that Protocol8 is zero knowledge.

The simulator

For a start, consider a deterministic cheating veriﬁerV ∗ that never aborts.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 16 / 37 Claim 11

∗ {h(P, V )(x)iV∗ }x∈GI ≈ {S(x)}x∈GI

Claim 11 implies that Protocol8 is zero knowledge.

The simulator

For a start, consider a deterministic cheating veriﬁerV ∗ that never aborts.

Algorithm 10 (S)

Abort.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 16 / 37 Claim 11 implies that Protocol8 is zero knowledge.

The simulator

For a start, consider a deterministic cheating veriﬁerV ∗ that never aborts.

Algorithm 10 (S)

Abort.

Claim 11

∗ {h(P, V )(x)iV∗ }x∈GI ≈ {S(x)}x∈GI

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 16 / 37 The simulator

For a start, consider a deterministic cheating veriﬁerV ∗ that never aborts.

Algorithm 10 (S)

Abort.

Claim 11

∗ {h(P, V )(x)iV∗ }x∈GI ≈ {S(x)}x∈GI

Claim 11 implies that Protocol8 is zero knowledge.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 16 / 37 Claim 13 S(x) ≡ S0(x) for any x ∈GI .

Proof:?

Proving Claim 11 Consider the following inefﬁcient simulator: Algorithm 12 (S0)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)). Do |x| times: ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 2 Let b beV ∗’s answer. 1 W.p. 2 , 0 0 ∗ 1 Find π such that E = π (Eb), and send it toV . ∗ 2 OutputV ’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1. Abort.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 17 / 37 Proof:?

Proving Claim 11 Consider the following inefﬁcient simulator: Algorithm 12 (S0)

Claim 13 S(x) ≡ S0(x) for any x ∈GI .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 17 / 37 Proving Claim 11 Consider the following inefﬁcient simulator: Algorithm 12 (S0)

Claim 13 S(x) ≡ S0(x) for any x ∈GI .

Proof:? Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 17 / 37 1 ∗ 00 h(P, V (x))iV∗ ≡ S (x). 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Claim 15 ∀x ∈GI it holds that

Proof:? (1) is clear.

Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Proof:? (1) is clear.

Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Claim 15 ∀x ∈GI it holds that

1 ∗ 00 h(P, V (x))iV∗ ≡ S (x).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 Proof:? (1) is clear.

Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Claim 15 ∀x ∈GI it holds that

1 ∗ 00 h(P, V (x))iV∗ ≡ S (x). 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 Proof:? (1) is clear.

Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Claim 15 ∀x ∈GI it holds that

1 ∗ 00 h(P, V (x))iV∗ ≡ S (x). 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 (1) is clear.

Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Claim 15 ∀x ∈GI it holds that

1 ∗ 00 h(P, V (x))iV∗ ≡ S (x). 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Proof:?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 Proving Claim 11 cont.

Consider a second inefﬁcient simulator: Algorithm 14 (S00)

Input: x = (G0 = ([m], E0), G1 = ([m], E1)) ∗ 1 Choose π ← Πm and send E = π(E0) toV (x). 0 0 ∗ 2 Find π such that E = π (Eb) and send it toV 3 OutputV ∗’s output and halt.

Claim 15 ∀x ∈GI it holds that

1 ∗ 00 h(P, V (x))iV∗ ≡ S (x). 2 SD(S00(x), S0(x)) ≤ 2−|x|.

Proof:? (1) is clear.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 18 / 37 It holds that

|x| X 1 1 Pr [t] = α · (1 − )i−1 · S0(x) 2 2 i=1 = (1 − 2−|x|) · α

Hence,SD (S00(x), S0(x)) ≤ 2−|x|

Proving Claim 15(2)

∗ Fix t ∈ {0, 1} and let α = PrS00(x)[t].

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 19 / 37 Hence,SD (S00(x), S0(x)) ≤ 2−|x|

Proving Claim 15(2)

∗ Fix t ∈ {0, 1} and let α = PrS00(x)[t]. It holds that

|x| X 1 1 Pr [t] = α · (1 − )i−1 · S0(x) 2 2 i=1 = (1 − 2−|x|) · α

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 19 / 37 Proving Claim 15(2)

∗ Fix t ∈ {0, 1} and let α = PrS00(x)[t]. It holds that

|x| X 1 1 Pr [t] = α · (1 − )i−1 · S0(x) 2 2 i=1 = (1 − 2−|x|) · α

Hence,SD (S00(x), S0(x)) ≤ 2−|x|

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 19 / 37 ∗ 1 The simulator ﬁrst ﬁxes the random coins of V at random. 2 Same proof goes through.

2 Aborting veriﬁers.

3 Randomized veriﬁers.

4 Negligible soundness error?

Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 ∗ 1 The simulator ﬁrst ﬁxes the random coins of V at random. 2 Same proof goes through.

3 Randomized veriﬁers.

4 Negligible soundness error?

Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

2 Aborting veriﬁers.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 ∗ 1 The simulator ﬁrst ﬁxes the random coins of V at random. 2 Same proof goes through.

4 Negligible soundness error?

Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

2 Aborting veriﬁers.

3 Randomized veriﬁers.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 2 Same proof goes through.

4 Negligible soundness error?

Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

2 Aborting veriﬁers.

3 Randomized verifiers. ∗ 1 The simulator first fixes the random coins of V at random.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 4 Negligible soundness error?

Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

2 Aborting veriﬁers.

3 Randomized verifiers. ∗ 1 The simulator first fixes the random coins of V at random. 2 Same proof goes through.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 Remarks

1 Perfect ZK for “expected polynomial-time" simulators.

2 Aborting veriﬁers.

3 Randomized verifiers. ∗ 1 The simulator first fixes the random coins of V at random. 2 Same proof goes through.

4 Negligible soundness error?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 20 / 37 The above protocol has perfect completeness and soundness. Is it zero-knowledge?

It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

“Transcript simulation" might not sufﬁce!

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 The above protocol has perfect completeness and soundness. Is it zero-knowledge?

It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

“Transcript simulation" might not sufﬁce! Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 The above protocol has perfect completeness and soundness. Is it zero-knowledge?

It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

“Transcript simulation" might not sufﬁce! Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 Is it zero-knowledge?

It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

“Transcript simulation" might not sufﬁce! Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

The above protocol has perfect completeness and soundness.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

“Transcript simulation" might not sufﬁce! Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

The above protocol has perfect completeness and soundness. Is it zero-knowledge?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 “Transcript simulation" might not sufﬁce! Let (G, E, D) be a public-key encryption scheme and let L ∈NP .

Protocol 16 ((P, V)) Common input: x ∈ {0, 1}∗

P’s input: w ∈ RL(x)

1 V chooses (d, e) ← G(1|x|) and sends e toP

2 P sends c = Ee(w) toV

3 V accepts iffD d (c) ∈ RL(x)

The above protocol has perfect completeness and soundness. Is it zero-knowledge?

It has “transcript simulator" (at least for honest veriﬁers): exits PPT S

such that {h(P(w ∈ RL(x)), V)(x)itrans}x∈L ≈c {S(x)}x∈L, where trans stands for the transcript of the protocol (i.e., the messages exchange through the execution).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 21 / 37 Section 3

Composition of Zero-Knowledge Proofs

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 22 / 37 Parallel repetition?

Is zero-knowledge maintained under composition?

Sequential repetition?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 23 / 37 Is zero-knowledge maintained under composition?

Sequential repetition? Parallel repetition?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 23 / 37 1 The protocol for GI we just saw, is also auxiliary-input SZK

2 What about randomized veriﬁers?

Zero-knowledge proof, auxiliary input variant.

Deﬁnition 17 (zero-knowledge proofs, auxiliary input)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ deterministic poly-timeV ∗, ∃ PPT S such that:a

∗ {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S(x, z(x))}x∈L

∗ for any any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1} . Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

aLength of auxiliary input does not count for the running time.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 24 / 37 2 What about randomized veriﬁers?

Zero-knowledge proof, auxiliary input variant.

Deﬁnition 17 (zero-knowledge proofs, auxiliary input)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ deterministic poly-timeV ∗, ∃ PPT S such that:a

∗ {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S(x, z(x))}x∈L

∗ for any any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1} . Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

aLength of auxiliary input does not count for the running time.

1 The protocol for GI we just saw, is also auxiliary-input SZK

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 24 / 37 Zero-knowledge proof, auxiliary input variant.

Deﬁnition 17 (zero-knowledge proofs, auxiliary input)

An interactive proof (P, V) is computational zero-knowledge proof( CZK) for L ∈NP , if ∀ deterministic poly-timeV ∗, ∃ PPT S such that:a

∗ {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S(x, z(x))}x∈L

∗ for any any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1} . Perfect ZK (PZK)/statistical ZK (SZK) — the above distributions are identicallly/statistically close.

aLength of auxiliary input does not count for the running time.

1 The protocol for GI we just saw, is also auxiliary-input SZK

2 What about randomized veriﬁers?

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 24 / 37 I Chess game I Signature game

Zero-knowledge might not maintained under parallel repetition. Examples:

Is zero-knowledge maintained under composition?, cont.

Auxiliary-input zero-knowledge is maintained under sequential repetition.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 25 / 37 I Chess game I Signature game

Examples:

Is zero-knowledge maintained under composition?, cont.

Auxiliary-input zero-knowledge is maintained under sequential repetition. Zero-knowledge might not maintained under parallel repetition.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 25 / 37 I Chess game I Signature game

Is zero-knowledge maintained under composition?, cont.

Auxiliary-input zero-knowledge is maintained under sequential repetition. Zero-knowledge might not maintained under parallel repetition. Examples:

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 25 / 37 I Signature game

Is zero-knowledge maintained under composition?, cont.

Auxiliary-input zero-knowledge is maintained under sequential repetition. Zero-knowledge might not maintained under parallel repetition. Examples:

I Chess game

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 25 / 37 Is zero-knowledge maintained under composition?, cont.

Auxiliary-input zero-knowledge is maintained under sequential repetition. Zero-knowledge might not maintained under parallel repetition. Examples:

I Chess game I Signature game

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 25 / 37 Section 4

Black-box Zero Knowledge

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 26 / 37 1 “Most simulators" are black box

2 Strictly weaker then general simulation!

Black-box simulators

Deﬁnition 18 (Black-box simulator)

(P, V) is CZK with black-box simulation for L ∈NP , if ∃ oracle-aided PPT S s.t.

∗ V∗(x,z(x)) {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S (x)}x∈L

∗ for any deterministic polynomial-timeV , any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1}∗. Prefect and statistical variants are deﬁned analogously.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 27 / 37 2 Strictly weaker then general simulation!

Black-box simulators

Deﬁnition 18 (Black-box simulator)

(P, V) is CZK with black-box simulation for L ∈NP , if ∃ oracle-aided PPT S s.t.

∗ V∗(x,z(x)) {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S (x)}x∈L

∗ for any deterministic polynomial-timeV , any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1}∗. Prefect and statistical variants are deﬁned analogously.

1 “Most simulators" are black box

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 27 / 37 2 Strictly weaker then general simulation!

Black-box simulators

Deﬁnition 18 (Black-box simulator)

(P, V) is CZK with black-box simulation for L ∈NP , if ∃ oracle-aided PPT S s.t.

∗ V∗(x,z(x)) {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S (x)}x∈L

∗ for any deterministic polynomial-timeV , any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1}∗. Prefect and statistical variants are deﬁned analogously.

1 “Most simulators" are black box

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 27 / 37 Black-box simulators

Deﬁnition 18 (Black-box simulator)

(P, V) is CZK with black-box simulation for L ∈NP , if ∃ oracle-aided PPT S s.t.

∗ V∗(x,z(x)) {h(P(w(x)), V (z(x)))(x)iV∗ }x∈L ≈c {S (x)}x∈L

∗ for any deterministic polynomial-timeV , any w with w(x) ∈ RL(x) and any z : L 7→ {0, 1}∗. Prefect and statistical variants are deﬁned analogously.

1 “Most simulators" are black box

2 Strictly weaker then general simulation!

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 27 / 37 Section 5

Zero-knowledge proofs for all NP

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 28 / 37 We show how to transform it for any L ∈NP (using that 3COL ∈NPC ).

Deﬁnition 19 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M 7→ [3] s.t. φ(u) 6= φ(v) for every (u, v) ∈ E.

We use commitment schemes.

CZK for 3COL

Assuming that OWFs exists, we give a (black-box) CZK for 3COL.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 29 / 37 Deﬁnition 19 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M 7→ [3] s.t. φ(u) 6= φ(v) for every (u, v) ∈ E.

We use commitment schemes.

CZK for 3COL

Assuming that OWFs exists, we give a (black-box) CZK for 3COL. We show how to transform it for any L ∈NP (using that 3COL ∈NPC ).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 29 / 37 Deﬁnition 19 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M 7→ [3] s.t. φ(u) 6= φ(v) for every (u, v) ∈ E.

We use commitment schemes.

CZK for 3COL

Assuming that OWFs exists, we give a (black-box) CZK for 3COL. We show how to transform it for any L ∈NP (using that 3COL ∈NPC ).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 29 / 37 We use commitment schemes.

CZK for 3COL

Assuming that OWFs exists, we give a (black-box) CZK for 3COL. We show how to transform it for any L ∈NP (using that 3COL ∈NPC ).

Deﬁnition 19 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M 7→ [3] s.t. φ(u) 6= φ(v) for every (u, v) ∈ E.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 29 / 37 CZK for 3COL

Assuming that OWFs exists, we give a (black-box) CZK for 3COL. We show how to transform it for any L ∈NP (using that 3COL ∈NPC ).

Deﬁnition 19 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M 7→ [3] s.t. φ(u) 6= φ(v) for every (u, v) ∈ E.

We use commitment schemes.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 29 / 37 We use perfectly binding commitment Com = (Snd, Rcv).

Protocol 20 ((P, V)) Common input: GraphG = (M, E) with n = |G| P’s input: a (valid) coloring φ ofG

1 P chooses π ← Π3 and sets ψ = π ◦ φ 2 ∀v ∈ M:P commits to ψ(v) using Com (with security parameter1 n).

Let cv and dv be the resulting commitment and decommitment. 3 V sends e = (u, v) ← E toP

4 P sends (du, ψ(u)), (dv , ψ(v)) toV 5 V veriﬁes that

1 Both decommitments are valid, 2 ψ(u), ψ(v) ∈ [3], and 3 ψ(u) 6= ψ(v).

The protocol Let π3 be the set of all permutations over [3].

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 30 / 37 Protocol 20 ((P, V)) Common input: GraphG = (M, E) with n = |G| P’s input: a (valid) coloring φ ofG

1 P chooses π ← Π3 and sets ψ = π ◦ φ 2 ∀v ∈ M:P commits to ψ(v) using Com (with security parameter1 n).

Let cv and dv be the resulting commitment and decommitment. 3 V sends e = (u, v) ← E toP

4 P sends (du, ψ(u)), (dv , ψ(v)) toV 5 V veriﬁes that

1 Both decommitments are valid, 2 ψ(u), ψ(v) ∈ [3], and 3 ψ(u) 6= ψ(v).

The protocol Let π3 be the set of all permutations over [3]. We use perfectly binding commitment Com = (Snd, Rcv).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 30 / 37 The protocol Let π3 be the set of all permutations over [3]. We use perfectly binding commitment Com = (Snd, Rcv).

Protocol 20 ((P, V)) Common input: GraphG = (M, E) with n = |G| P’s input: a (valid) coloring φ ofG

1 P chooses π ← Π3 and sets ψ = π ◦ φ 2 ∀v ∈ M:P commits to ψ(v) using Com (with security parameter1 n).

Let cv and dv be the resulting commitment and decommitment. 3 V sends e = (u, v) ← E toP

4 P sends (du, ψ(u)), (dv , ψ(v)) toV 5 V veriﬁes that

1 Both decommitments are valid, 2 ψ(u), ψ(v) ∈ [3], and 3 ψ(u) 6= ψ(v).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 30 / 37 Completeness: Clear

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Hence,V rejects such x w.p. at least1 / |E|.

Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Hence,V rejects such x w.p. at least1 / |E|.

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Completeness: Clear

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Hence,V rejects such x w.p. at least1 / |E|.

Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Completeness: Clear

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Hence,V rejects such x w.p. at least1 / |E|.

Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Completeness: Clear

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 Hence,V rejects such x w.p. at least1 / |E|.

Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Completeness: Clear

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 Claim 21 The above protocol is a CZK for 3COL, with perfect completeness and soundness1 / |E|.

Completeness: Clear

Soundness: Let {cv }v∈M be the commitments resulting from an interaction ofV with an arbitraryP ∗.

Deﬁne φ: M 7→ [3] as follows:

∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

IfG ∈/ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

Hence,V rejects such x w.p. at least1 / |E|.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 31 / 37 Algorithm 22 (S) Input: A graphG = (M, E) with n = |G| Do n · |E| times:

1 Choose e0 = (u, v) ← E.

1 Set ψ(u) ← [3], 2 Set ψ(v) ← [3] \{ψ(u)}, and 3 Set ψ(w) = 1 for w ∈ M \{u, v}.

∗ 2 ∀v ∈ M: commit to ψ(v) toV (resulting in cv and dv ) 3 Let e be the edge sent byV ∗. 0 ∗ ∗ If e = e , send (du, ψ(u)), (dv , ψ(v)) toV , outputV ’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1. Abort.

Proving ZK Fix a deterministic, non-abortingV ∗ that gets no auxiliary input.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 32 / 37 Proving ZK Fix a deterministic, non-abortingV ∗ that gets no auxiliary input.

Algorithm 22 (S) Input: A graphG = (M, E) with n = |G| Do n · |E| times:

1 Choose e0 = (u, v) ← E.

1 Set ψ(u) ← [3], 2 Set ψ(v) ← [3] \{ψ(u)}, and 3 Set ψ(w) = 1 for w ∈ M \{u, v}.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 32 / 37 Claim 24 ∗ V∗(x) {h(P(w(x)), V )(x)iV∗ }x∈3COL≈{Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x).

Proof:?

Proving ZK cont.

Algorithm 23 (Se) Input:G = (V , E) with n = |G|, and a (valid) coloring φ ofG. Do for n · |E| times:

1 Choose e0 ← E.

2 Act like the honest prover does given private input φ.

3 Let e be the edge sent byV ∗. If e = e0 ∗ 1 Send (ψ(u), du), (ψ(v), dv ) toV , ∗ 2 OutputV ’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1. Abort.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 33 / 37 Proof:?

Proving ZK cont.

Algorithm 23 (Se) Input:G = (V , E) with n = |G|, and a (valid) coloring φ ofG. Do for n · |E| times:

1 Choose e0 ← E.

2 Act like the honest prover does given private input φ.

3 Let e be the edge sent byV ∗. If e = e0 ∗ 1 Send (ψ(u), du), (ψ(v), dv ) toV , ∗ 2 OutputV ’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1. Abort.

Claim 24 ∗ V∗(x) {h(P(w(x)), V )(x)iV∗ }x∈3COL≈{Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 33 / 37 Proving ZK cont.

Algorithm 23 (Se) Input:G = (V , E) with n = |G|, and a (valid) coloring φ ofG. Do for n · |E| times:

1 Choose e0 ← E.

2 Act like the honest prover does given private input φ.

3 Let e be the edge sent byV ∗. If e = e0 ∗ 1 Send (ψ(u), du), (ψ(v), dv ) toV , ∗ 2 OutputV ’s output and halt. Otherwise, rewindV ∗ to its initial step, and go to step1. Abort.

Claim 24 ∗ V∗(x) {h(P(w(x)), V )(x)iV∗ }x∈3COL≈{Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x).

Proof:? Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 33 / 37 Proof: Assume ∃ PPT D, p ∈ poly, w(x) ∈ RL(x) and an inﬁnite set I ⊆ 3COL s.t.

h ∗ i h ∗ i 1 Pr D(SV (x)(x)) = 1 − Pr D(SeV (x)(x, w(x))) = 1 ≥ p(|x|) for all x ∈ I.

Hence, ∃ PPT R∗ and b ∈ [3] \{1} such that

hD E i hD E i Pr (Snd(1), R∗(x, w(x))) (1|x|) = 1 −Pr (Snd(b), R∗(x, w(x))) (1|x|) = 1 R∗ R∗ 1 ≥ |x|2 · p(|x|) for all x ∈ I. In contradiction to the (non-uniform) security of Com.

Proving ZK cont.. Claim 25 V∗(x) V∗(x) {S (x)}x∈3COL ≈c {Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x)..

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 34 / 37 Assume ∃ PPT D, p ∈ poly, w(x) ∈ RL(x) and an inﬁnite set I ⊆ 3COL s.t.

h ∗ i h ∗ i 1 Pr D(SV (x)(x)) = 1 − Pr D(SeV (x)(x, w(x))) = 1 ≥ p(|x|) for all x ∈ I.

Hence, ∃ PPT R∗ and b ∈ [3] \{1} such that

hD E i hD E i Pr (Snd(1), R∗(x, w(x))) (1|x|) = 1 −Pr (Snd(b), R∗(x, w(x))) (1|x|) = 1 R∗ R∗ 1 ≥ |x|2 · p(|x|) for all x ∈ I. In contradiction to the (non-uniform) security of Com.

Proving ZK cont.. Claim 25 V∗(x) V∗(x) {S (x)}x∈3COL ≈c {Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x)..

Proof:

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 34 / 37 Hence, ∃ PPT R∗ and b ∈ [3] \{1} such that

hD E i hD E i Pr (Snd(1), R∗(x, w(x))) (1|x|) = 1 −Pr (Snd(b), R∗(x, w(x))) (1|x|) = 1 R∗ R∗ 1 ≥ |x|2 · p(|x|) for all x ∈ I. In contradiction to the (non-uniform) security of Com.

Proving ZK cont.. Claim 25 V∗(x) V∗(x) {S (x)}x∈3COL ≈c {Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x)..

Proof: Assume ∃ PPT D, p ∈ poly, w(x) ∈ RL(x) and an inﬁnite set I ⊆ 3COL s.t.

h ∗ i h ∗ i 1 Pr D(SV (x)(x)) = 1 − Pr D(SeV (x)(x, w(x))) = 1 ≥ p(|x|) for all x ∈ I.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 34 / 37 In contradiction to the (non-uniform) security of Com.

Proving ZK cont.. Claim 25 V∗(x) V∗(x) {S (x)}x∈3COL ≈c {Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x)..

Proof: Assume ∃ PPT D, p ∈ poly, w(x) ∈ RL(x) and an inﬁnite set I ⊆ 3COL s.t.

h ∗ i h ∗ i 1 Pr D(SV (x)(x)) = 1 − Pr D(SeV (x)(x, w(x))) = 1 ≥ p(|x|) for all x ∈ I.

Hence, ∃ PPT R∗ and b ∈ [3] \{1} such that

hD E i hD E i Pr (Snd(1), R∗(x, w(x))) (1|x|) = 1 −Pr (Snd(b), R∗(x, w(x))) (1|x|) = 1 R∗ R∗ 1 ≥ |x|2 · p(|x|) for all x ∈ I.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 34 / 37 Proving ZK cont.. Claim 25 V∗(x) V∗(x) {S (x)}x∈3COL ≈c {Se (x, w(x))}x∈3COL, for any w with w(x) ∈ RL(x)..

Proof: Assume ∃ PPT D, p ∈ poly, w(x) ∈ RL(x) and an inﬁnite set I ⊆ 3COL s.t.

h ∗ i h ∗ i 1 Pr D(SV (x)(x)) = 1 − Pr D(SeV (x)(x, w(x))) = 1 ≥ p(|x|) for all x ∈ I.

Hence, ∃ PPT R∗ and b ∈ [3] \{1} such that

hD E i hD E i Pr (Snd(1), R∗(x, w(x))) (1|x|) = 1 −Pr (Snd(b), R∗(x, w(x))) (1|x|) = 1 R∗ R∗ 1 ≥ |x|2 · p(|x|) for all x ∈ I. In contradiction to the (non-uniform) security of Com.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 34 / 37 Auxiliary inputs Soundness ampliﬁcation

Remarks

Aborting veriﬁers

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 35 / 37 Soundness ampliﬁcation

Remarks

Aborting veriﬁers Auxiliary inputs

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 35 / 37 Remarks

Aborting veriﬁers Auxiliary inputs Soundness ampliﬁcation

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 35 / 37 For L ∈NP , let MapX and MapW be two poly-time computable functions s.t.

x ∈ L ⇐⇒ MapX (x) ∈ 3COL,

(x, w) ∈ RL ⇐⇒ MapW (x, w) ∈ R3COL(MapX (x)).

We assume for simplicity that MapX is injective.

Let (P, V) be a CZK for 3COL.

Protocol 26 ((PL, VL)) Common input: x ∈ {0, 1}∗.

PL’s input: w ∈ RL(x).

1 The two parties interact in (P(MapW (x, w)), V)(MapX (x)),

whereP L andV L taking the role ofP andV respectively.

2 VL accepts iffV accepts in the above execution.

Extending to all NP

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 36 / 37 We assume for simplicity that MapX is injective.

Let (P, V) be a CZK for 3COL.

Protocol 26 ((PL, VL)) Common input: x ∈ {0, 1}∗.

PL’s input: w ∈ RL(x).

1 The two parties interact in (P(MapW (x, w)), V)(MapX (x)),

whereP L andV L taking the role ofP andV respectively.

2 VL accepts iffV accepts in the above execution.

Extending to all NP

For L ∈NP , let MapX and MapW be two poly-time computable functions s.t.

x ∈ L ⇐⇒ MapX (x) ∈ 3COL,

(x, w) ∈ RL ⇐⇒ MapW (x, w) ∈ R3COL(MapX (x)).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 36 / 37 Let (P, V) be a CZK for 3COL.

Protocol 26 ((PL, VL)) Common input: x ∈ {0, 1}∗.

PL’s input: w ∈ RL(x).

1 The two parties interact in (P(MapW (x, w)), V)(MapX (x)),

whereP L andV L taking the role ofP andV respectively.

2 VL accepts iffV accepts in the above execution.

Extending to all NP

For L ∈NP , let MapX and MapW be two poly-time computable functions s.t.

x ∈ L ⇐⇒ MapX (x) ∈ 3COL,

(x, w) ∈ RL ⇐⇒ MapW (x, w) ∈ R3COL(MapX (x)).

We assume for simplicity that MapX is injective.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 36 / 37 Protocol 26 ((PL, VL)) Common input: x ∈ {0, 1}∗.

PL’s input: w ∈ RL(x).

1 The two parties interact in (P(MapW (x, w)), V)(MapX (x)),

whereP L andV L taking the role ofP andV respectively.

2 VL accepts iffV accepts in the above execution.

Extending to all NP

For L ∈NP , let MapX and MapW be two poly-time computable functions s.t.

x ∈ L ⇐⇒ MapX (x) ∈ 3COL,

(x, w) ∈ RL ⇐⇒ MapW (x, w) ∈ R3COL(MapX (x)).

We assume for simplicity that MapX is injective.

Let (P, V) be a CZK for 3COL.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 36 / 37 Extending to all NP

For L ∈NP , let MapX and MapW be two poly-time computable functions s.t.

x ∈ L ⇐⇒ MapX (x) ∈ 3COL,

(x, w) ∈ RL ⇐⇒ MapW (x, w) ∈ R3COL(MapX (x)).

We assume for simplicity that MapX is injective.

Let (P, V) be a CZK for 3COL.

Protocol 26 ((PL, VL)) Common input: x ∈ {0, 1}∗.

PL’s input: w ∈ RL(x).

1 The two parties interact in (P(MapW (x, w)), V)(MapX (x)),

whereP L andV L taking the role ofP andV respectively.

2 VL accepts iffV accepts in the above execution.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 36 / 37 Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

∗ ∗ VL(x,z(x)) Proof: Assume {h(PL(w(x)), V (z(x))(x)i ∗ }x∈L 6≈c {S (x)}x∈L. L VL L Hence, ∗ V∗(x,z0(x)) {h(P(MapW (x, w(x))), V )(x)iV∗(z0(x))}x∈3COL 6≈c {S (x)}x∈3COL, ∗ 0 −1 ∗ −1 0 −1 −1 whereV (x, zx = (zx , x )) acts likeV L(x , zx ), and z (x) = (z(x ), x ) −1 −1 for x = MapX (x).

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 ∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear.

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 ∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 ∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 ∗ ∗ VL(x,z(x)) Proof: Assume {h(PL(w(x)), V (z(x))(x)i ∗ }x∈L 6≈c {S (x)}x∈L. L VL L Hence, ∗ V∗(x,z0(x)) {h(P(MapW (x, w(x))), V )(x)iV∗(z0(x))}x∈3COL 6≈c {S (x)}x∈3COL, ∗ 0 −1 ∗ −1 0 −1 −1 whereV (x, zx = (zx , x )) acts likeV L(x , zx ), and z (x) = (z(x ), x ) −1 −1 for x = MapX (x).

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 ∗ ∗ VL(x,z(x)) Assume {h(PL(w(x)), V (z(x))(x)i ∗ }x∈L 6≈c {S (x)}x∈L. L VL L Hence, ∗ V∗(x,z0(x)) {h(P(MapW (x, w(x))), V )(x)iV∗(z0(x))}x∈3COL 6≈c {S (x)}x∈3COL, ∗ 0 −1 ∗ −1 0 −1 −1 whereV (x, zx = (zx , x )) acts likeV L(x , zx ), and z (x) = (z(x ), x ) −1 −1 for x = MapX (x).

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Proof:

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 Hence, ∗ V∗(x,z0(x)) {h(P(MapW (x, w(x))), V )(x)iV∗(z0(x))}x∈3COL 6≈c {S (x)}x∈3COL, ∗ 0 −1 ∗ −1 0 −1 −1 whereV (x, zx = (zx , x )) acts likeV L(x , zx ), and z (x) = (z(x ), x ) −1 −1 for x = MapX (x).

Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

∗ ∗ VL(x,z(x)) Proof: Assume {h(PL(w(x)), V (z(x))(x)i ∗ }x∈L 6≈c {S (x)}x∈L. L VL L

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37 Extending to all L ∈NP cont.

Claim 27 (PL, VL) is a CZK for L with the same completeness and soundness as (P, V) as for 3COL.

Completeness and soundness: Clear. Zero knowledge: LetS (an efﬁcient) ZK simulator for (P, V) (for 3COL).

∗ ∗ V (x,zx ) On input (x, zx ) and veriﬁerV , letS L outputS (MapX (x)).

Claim 28 ∗ ∗ VL(x,z(x)) ∗ {h(PL(w(x)), V (z(x)))(x)i ∗ }x∈L ≈c {S (x)}x∈L ∀ PPT V , w, z. L VL L L

Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 37 / 37