Lecture 10 1 Interactive Proof System (Prover-Verifier Interaction) 2 Graph

Home , Interactive proof system

Theory of Computer Science to Msc Students, Spring 2007 Lecture 10 Lecturer: Dorit Aharonov Scribe: Elad Dinur and Eran Bringer Revised: Shahar Dobzinski, July 2007

1 Interactive Proof System (Prover-Veriﬁer interaction)

An interactive proof system is an abstract machine that models computation as the ex- change of messages between two parties. he parties, the verifier and the prover, interact by exchanging messages in order to ascertain whether a given string x belongs to a language L. The prover is all-powerful, with unlimited computational resources while the verifier has bounded computation power (polynomial), but is allowed to flip random coins. Messages are sent between the verifier and prover until the verifier has an answer to the problem and has “convinced” itself that it is correct. Formally, a language L has an interactive proof system (L ∈ IP ) if:

• Completeness: If x ∈ L then the veriﬁer accepts with probability 1.

1 • Soundness: If x∈ / L then the veriﬁer accepts with probability of at most 2 .

Trivially, an NP language can be decided by an interactive proof system with one round, by just sending the proof to the verifier. It is also clear the if the verifier is deterministic, then there is no need to use more than one round (the prover can just simulate the queries of the verifier, and send them all in the first round). However, it turns out the the class IP is much more powerful.

2 Graph − Non − Isomorphism ∈ IP

Let us consider the following problem, Graph-Non-Isomorphism (GNI): we are given two graphs G1 and G0, and we have to decide whether the graphs are isomorphic. This problem is in CoNP, since Graph-Isomorphism is in NP (we can show a permutation as a proof of isomorphism). It is not known whether GNI is in NP, and this is unlikely to be true. Yet, we will show that GNI ∈ IP . The protocol goes as follows. The veriﬁer selects uniformly at random a bit b. Then, the veriﬁer selects uniformly at random a permutation Π, and sends the permuted graph

πGb to the prover. The prover then answers with the value of b. The veriﬁer accepts if and only if the prover answers with the correct value of b. To see that the above protocol indeed proves that GNI ∈ IP , we have to show that if x ∈ L then the veriﬁer always accepts, otherwise the prover rejects with probability of

10-1 1 at least 2 . Suppose that x ∈ L. The prover gets a graph that is a permutation of one of the graphs and has to decide which graph is it. This graph belongs to one of the two disjoint sets: the set of all graphs that are isomorphic to G0, and the set of all graphs that are isomorphic to G1 (observe that here we assume that the two graphs are indeed not isomorphic, and thus the two sets are disjoint). The prover is all powerful, so it can find which graph πGb is isomorphic to, thus finding the value of b, as needed. Suppose that x∈ / L. That is, the two graphs are isomorphic. Thus, the prover has now way of determining the value of b, as the graph he got from the verifier is a permutation of 1 both G0 and G1. Thus, with probability of at least 2 , the prover will return an incorrect guess of b, and the verifier will reject.

3 Zero-Knowledge Proofs

In fact, a close look at the above protocol reveals a very interesting property: if x ∈ L then the verifier learns no new information about the proof. In fact, a close look at the above protocol reveals a very interesting property. In x ∈ L then the verifier learns no new information about WHY it is true that x ∈ L! There are very interesting possibilities of using this for cryptography: If you get convinced but learn nothing, then this would mean that you cannot prove it yourself to somebody else. This for example can be used to authenticate yourself, in a convincing way, but in such a way that nobody can use your proof to present themselves as you. This raises a very interesting concept: proofs which reveal nothing but the validity of a certain statement. So, you can get convinced but learn nothing about the REASON for something to be true! Think of the possibilities: Andrew Wiles can send his work on Fermat’s last theorem to a respectful mathematical journal, and the referees can be convinced that he indeed correctly proved the theorem, but learn no information at all about the proof itself. We first have to be careful about how to define this property, and we do it by introducing the notion of a simulator. A simulator for an interactive-proof system ZK is a probabilistic polynomial-time algorithm A such that if x ∈ L then the for all transcripts Y , we have that Pr[ZK(x) = Y ] = Pr[A(x) = Y ]. If an interactive proof protocol has a simulator, then this protocol is a zero-knowledge protocol. The idea is that verifier gets no new information from interacting with the prover – he can just run A instead. For example, the simulator for the GNI problem is simple: select a bit b and a permutation of Gb at random, and return the value of b (instead of the prover). It is also possible to define a class of statistical zero-knowledge proofs, where the simulator is not perfect but is very close to the real interaction with very small probability, but this is outside the scope of this course. Another remark is that above we assumed that the verifier is honest, that is obeys the protocol. However, it turns out that it is possible to make any zero-knowledge protocol to a protocol that is resistent also against cheating verifiers.

10-2 4 Graph − Isomorphism ∈ IP

We now describe a zero knowledge protocol for graph-isomorphism. In this protocol, the prover first selects uniformly at random a bit b and a random permutation π, and sends the 0 verifier the permuted graph πGb . The verifier selects uniformly at random a bit b and sends 0 0 it to the prover. The prover has to answer with a permutation π such that π = Gb. Gb0 If x ∈ L, then the verifier will accepts with probability 1. This is because G0, G1, and 0 πGb are isomorphic to each other, so the verifier can find the right permutation π . If x∈ / L 1 0 0 then with probability 2 , πGb is not isomorphic to Gb , and thus a permutation π does not exist. We want to show that this is a zero-knowledge protocol, and for that we need to show there exists a simulator for this protocol. The simulator works in the following way: choose 0 a random bit b, and a permutation π , and let the first message be πGb . Now let b be the message of the verifier, and π the final message of the prover.

5 NP ∈ ZK?

We now show that every language that is in NP has a zero knowledge proof. However, for that we will need to assume the existence of a cryptographic primitive, called bit commitment. This primitive exists under common cryptographic assumption, such that the existence of one way functions. In other words, we cannot provide strictly zero-knowledge proofs for NPC problems. But we can provide them under some computational assumption, e.g, that factoring is hard (which can be used to design some cryptographic primitive called bit commitment, which we will soon explain). The proofs will not be ZERO knowledge, in the information theoretic sense, but they will be computationally zero knowledge - namely, a computationally bounded verifier will learn nothing. A bit-commitment protocol is a protocol in which Alice commits on a bit. That is, Bob is guaranteed that Alice can not change this bit, but still Bob does not know the value of the bit. Given the existence of bit-commitments protocols, let us show that every language in NP has a zero-knowledge proof. Specifically, we show it for 3−COL, the language in which we are given a graph G and we have to decide whether G can be colored using 3 colors only. In the beginning of the protocol, the prover finds a legal coloring of the graph, selects uniformly at random a permuting of the colors, and commits on that coloring of the n vertices of the graph. The verifier selects uniformly at random two adjacent vertices in the graph and asks the prover to reveal their coloring. If the edges are colored in different edges, then the verifier rejects, otherwise he accepts. Clearly, if there is a legal coloring then the prover accepts with probability 1. If the graph cannot be colored in 3 colors, then in any coloring at least one edge is colored incorrectly,

10-3 1 and we will query the respective vertices with probability of at least n2 . Thus, in this case 1 the verifier rejects with probability of at least 1 − n2 . This probability can be decreased by repeating the protocol enough times. We have to show that this is a zero-knowledge protocol. For that, observe since if G is indeed 3-colorable, then the verifier just know that a pair of adjacent verities are colored in different colors. In particular, no information about the coloring can be carried over from one round to another, since in each we draw a new permutation of the colors. We leave it as an exercise to the reader to formulate the above argument in terms of a simulator.

10-4