ZERO-KNOWLEDGE (INTRO) ALON ROSEN IDC HERZLIYA BIU WINTER SCHOOL | February 2019 Zero-knowledge proofs Prover 푃 Verifier 푉 푃 interacts with 푉 convincing him that a proposition is true Interaction reveals nothing beyond validity of the proposition If proposition is true, any 푉∗ might as well have generated (simulated) the interaction on his own Avoids the question “what is knowledge?” altogether! Example: color non-blindness I can distinguish the balls Did I swap? Example: color non-blindness He swapped… Example: color non-blindness Damn… You Swapped! • 푉’s “view”: a random bit that equals his “swap or not” bit • 푉 could simulate view by picking random bit on his own! What is zero-knowledge good for? Can prove that I know a secret without having to reveal it Identification: 1. Alice publishes 푦 = 푓(푥) 2. Alice proves to Bob in ZK that she knows 푥′ ∈ 푓−1(푦) Protocol design: 1. Design against parties that follow instructions 2. Use ZK proof to force honest behavior “trusted party” → protocol Why zero-knowledge? Remarkable definitional framework: • At the heart of protocol design and analysis • Brings to light key concepts and issues Right level of abstraction: • Simple enough to be studied/realized • Feasibility/limitations delineate what is attainable ZK is just a means to an end • Weaker definitions are also useful (WI/WH/NIZK) • Tension between modularity and efficiency Proof Systems What is a proof? A method for establishing truth: 1. legal 2. authoritative 3. scientific 4. philosophical 5. mathematical 휋 Axioms → → ⋯ → Propositions 6. probabilistic, interactive Proof Systems Want to prove: 푥 ∈ 퐿 for some language 퐿 ⊆ Σ∗ 휋 V 퐿 = 푥 | ∃휋, 푉(푥, 휋) = ACCEPT Definition: A proof system for membership in 퐿 is an algorithm 푉 such that ∀푥: Completeness: If 푥 ∈ 퐿, then ∃휋, V(푥, 휋) = ACCEPT Soundness: If 푥 ∉ 퐿, then ∀휋, V(푥, 휋) = REJECT NP Proof Systems efficient verification ⟺ poly-time verification Definition: An NP proof system for membership in L is an algorithm 푉 such that ∀푥: Completeness: If 푥 ∈ 퐿, then ∃휋, V(푥, 휋) = ACCEPT Soundness: If 푥 ∉ 퐿, then ∀휋, V(푥, 휋) = REJECT Efficiency: V(푥, 휋) halts after at most 푝표푙푦(|푥|) steps • 푉′s running time is measured in terms of 푥 , the length of 푥 • poly 푥 = 푥 푐 for some constant 푐 • Necessarily, 휋 = 푝표푙푦 푥 Example I: Boolean Satisfiability 푆퐴푇 = 휙|휙 is a satisfiable Boolean formula 푛 푆퐴푇 = 휙 푤1, … , 푤푛 | ∃푤 ∈ 0,1 , 휙 푤 = 1 휋 = 푤 ? 휙 ∈ 푆퐴푇: V 휙 푤 = 1 Complete: every 퐿 ∈ 푁푃 reduces to 푆퐴푇 Unstructured: 푒푥푝(푂(푛)) time (worst case). Example II: Linear Equations 퐿퐼푁 = 퐴, 푏 |퐴푤 = 푏 ℎ푎푠 푎 푠표푙푢푡표푛 표푣푒푟 픽 휋 = 푤 ? 퐴, 푏 ∈ 퐿퐼푁: V 퐴푤 = 푏 푒푥푝 푛 many 푤’s Structured: decidable in time O 푛2.373 = 푝표푙푦(푛) The class P poly-time ⟺ efficient Definition: 퐿 ∈ P if there is a poly-time algorithm 퐴 such that 퐿 = 푥 | 퐴(푥) = ACCEPT 푆퐴푇 NP complete NP 퐿퐼푁 P BPP: 퐴 is probabilistic poly-time (푃푃푇) and errs w.p. ≤ 1/3 Example III: Quadratic Residuosity 푄푅푁 = 푥| 푥 푠 푎 푞푢푎푑푟푎푡푐 푟푒푠푑푢푒 푚표푑 푁 ? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁 ∗ Structured: 푄푅푁 is a subgroup of ℤ푁 푁 = 푃푄 푃 = 푄 = 푛 : 푒푥푝 푂෨ 푛1/3 time (avg. case) Summary so far efficient verification ⟺ poly-time verification 푆퐴푇 NP complete NP 퐿퐼푁 P 푄푅푁 Proving non-membership? 퐴, 푏 ∉ 퐿퐼푁? decidable in time poly(푛) ? 푤1, … , 푤2푛 휙 ∉ 푆퐴푇: V ∀, 휙 푤푖 = 0 푤1, … , 푤φ(푁) ? ∀, 푥 ≢ 푤2 푚표푑 푁 푥 ∉ 푄푅푁 : V 푖 Naïve proof is exponentially large [GMR’85]: allow proof to use • Randomness (tolerate “error”) • Interaction (add a “prover”) Interactive Proofs Interactive proof for 푄푅푁 [GMR’85] P 푥 ∉ 푄푅푁 V 푧 = 푦2 푏 = 0 푏 ∈푅 0,1 ∗ 푧 = 푥푦2 푏 = 1 푦 ∈푅 ℤ푁 푏′ 푧 = 0 푧 ∈ 푄푅 ? 푁 푏′ = 푏 푏′ 푧 = 1 푧 ∉ 푄푅푁 2 2 Completeness: 푥 ∉ 푄푅푁 → 푦 ∈ 푄푅푁 and 푥푦 ∉ 푄푅푁 2 2 Soundness: 푥 ∈ 푄푅푁 → 푦 ∈ 푄푅푁 and 푥푦 ∈ 푄푅푁 ∗ ∗ ∀푃 , 푃푟푏 푃 푧 = 푏 = 1/2 Interactive Proof P 푥 ∈ 퐿 V 푝표푙푦( 푥 ) 푚1 푟 ∈푅 0,1 푚2 ⋮ 푚푘 ACCEPT/REJECT 푉 is probabilistic polynomial time (푃푃푇) For any common input 푥, let: 푃푟 푃, 푉 accepts 푥 ≜ 푃푟푟 푃, 푉 푥, 푟 = ACCEPT Interactive Proof Systems Definition [GMR’85]: An interactive proof system for 퐿 is a 푃푃푇 algorithm 푉 and a function 푃 such that ∀푥: Completeness: If 푥 ∈ 퐿, then 푃푟 푃, 푉 accepts 푥 ≥ 2/3 Soundness: If 푥 ∉ 퐿, then ∀푃∗, 푃푟 푃∗, 푉 accepts 푥 ≤ 1/3 • Completeness and soundness can be bounded by any 푐: ℕ → [0,1] and 푠: ℕ → [0,1] as long as • 푐 푥 ≥ 1/2 + 1/푝표푙푦( 푥 ) • 푠 푥 ≤ 1/2 − 1/푝표푙푦( 푥 ) • 푝표푙푦( 푥 ) independent repetitions → 푐 푥 − 푠 푥 ≥ 1 − 2−푝표푙푦 푥 • NP is a special case (푐 푥 = 1 and 푠 푥 = 0) • BPP is a special case (no interaction) The Power of IP Proposition: 푄푅푁 ∈ IP • NP proof for 푄푅푁 not self-evident • This suggests that maybe NP ⊂ IP • Turns out that 푆퐴푇 ∈ IP (in fact #푆퐴푇) Theorem [LFKN’90]: 푃#P ⊆ IP Theorem [Shamir’90]: IP = PSPACE The power of IP IP = PSPACE [S’90] #푆퐴푇 [LFKN’90] 푆퐴푇 푆퐴푇 NPc coNPc NP coNP P 퐿퐼푁 푄푅푁 Zero-Knowledge A Proof that (presumably) Does Leak Info 푄푅푁 = 푥| 푥 푠 푎 푞푢푎푑푟푎푡푐 푟푒푠푑푢푒 푚표푑 푁 ? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁 • Generating 휋 - 푒푥푝(푂෨ 푛1/3 time • Verifying - O 푛2 time 푉 “got something for free” from seeing 휋 푉 may have not been able to find 푤 on his own! Defining that “no knowledge leaked” Some attempts: • 푉 didn’t learn 푤 (sometimes good enough!) • 푉 didn’t learn any symbol of 푤 • 푉 didn’t learn any information about 푤 • 푉 didn’t learn any information at all (beyond 푥 ∈ 퐿) When would we say that 푉 did learn something? If following the interaction 푉 could compute something he could have not computed without it! Zero-knowledge: whatever is computed following interaction could have been computed without it Zero-Knowledge (at last) 푉’s view = 푉’s random coins and messages it receives ∀푥 ∈ 퐿, 푉’s view can be efficiently “simulated” What does this mean? Philosophically: 푉 is given the information that 푥 ∈ 퐿 Modulo this, 푉 might as well have talked to himself Technically: 푉 view ≅ 푉 simulation Whatever 푉 could compute following the interaction, he could have computed even without talking to 푃, by running the simulator on his own 푉 might as well talk to himself P 푥 ∈ 퐿 V 푝표푙푦( 푥 ) 푚1 푟 ∈푅Bah.0 Forget,1 it. I will just simulate. 푚2 ⋮ 푚푘 푉 푥, 푟, 푚1, … , 푚푘 ↓ 푉 sim(푥) Honest Verifier Zero-Knowledge 푉’s view distribution can be simulated in poly-time • We will allow simulator 푆 to be probabilistic (푃푃푇) • Efficient ⟺ Probabilistic poly-time (BPP instead of P) Definition [GMR’85]: An interactive proof 푃, 푉 for 퐿 is (honest-verifier) zero-knowledge if ∃푃푃푇 푆 ∀푥 ∈ 퐿 푆 푥 ≅ 푃, 푉 푥 • We use 푃, 푉 푥 to denote 푉’s view • Usually 푃, 푉 푥 = 푉 view denotes 푉’s output • Simulator for 푉’s view implies simulator for 푉’s output Sanity check ? 휋 = 푤 2 푥 ∈ 푄푅푁 : V 푥 ≡ 푤 푚표푑 푁 2 • ∀푥 ∈ 푄푅푁, 푆 푥 ≡ 푥 푚표푑 푁 2 • ∀푥 ∉ 푄푅푁, 푆 푥 ≢ 푥 푚표푑 푁 2 • 푄푅푁 ∉ 퐵푃푃 → 푆 푥 ≢ 푥 푚표푑 푁 for some 푥 ∈ 푄푅푁 푃, 푉 for 퐿 is not (honest-verifier) zero-knowledge if ∀ 푃푃푇 푆 ∃푥 ∈ 퐿 so that 푆 푥 ≇ 푃, 푉 푥 A Zero-Knowledge proof for 푄푅푁 2 푥 = 푤 푚표푑 푁 P 푥 ∈ 푄푅푁 V ∗ 2 푟 ∈푅 ℤ푁 푦 = 푟 푏 푏 ∈푅 0,1 ? 푏 = 0: 푧 = 푟 푧2 = 푦 ? 푏 = 1: 푧 = 푤푟 푧2 = 푥푦 • 푃 is randomized and has auxiliary input 푤 • Distribution of V’s “view” 푃 푤 , 푉 푥 : uniformly random 푦, 푏, 푧 such that 푧2 = 푥푏푦 A Zero-Knowledge proof for 푄푅푁 Claim: 푃, 푉 is an interactive proof for 푄푅푁 * P V Soundness: 푦 = 푟2 푥 ∈ 푄푅푁 ↕ 푏 ∃푦, 푦 ∈ 푄푅푁 and 푥푦 ∈ 푄푅푁 2 If 푃푟 푃∗,푉 accepts 푥 > 1/2 푏 = 0: 푧0 = 푟 푧0 = 푦 푏 2 2 2 then both 푧0 = 푦 and 푧1 = 푥푦 푏 = 1: 푧1 = 푤푟 푧1 = 푥푦 Simulating 푉’s view P V Simulator 푆 푥 ∗ 푦 1. Sample 푧 ∈푅 ℤ푁 2. Sample 푏 ∈푅 0,1 2 푏 푏 3. Set 푦 = 푧 /푥 4. Output 푦, 푏, 푧 푧 random 푦,푏, 푧 such that 푧2 = 푥푏푦 ≅ random 푦,푏, 푧 such that 푧2 = 푥푏푦 Proposition: 푄푅푁 ∈ HVZK Simulating malicious 푉 ∗ ’s view * P V Simulator 푆 푥 ∗ 1. Sample 푧 ∈푅 ℤ푁 푦 ∗ 2. Sample 푏 ∈푅 ℤ푁 3. Set 푦 = 푧2/푥푏 ∗ 푏 = 푉∗ 푦 4. If 푉 푦 = 푏 output 푦, 푏, 푧 5. Otherwise repeat 푧 푥 ∈ 푄푅푁 ↓ 피 #repetitions = 2 random 푦,푏, 푧 such that random 푦,푏, 푧 such that ≅ 푧2 = 푥푏푦 and 푏 = 푉∗ 푦 푧2 = 푥푏푦 and 푏 = 푉∗ 푦 Perfect Zero-Knowledge Definition: An interactive proof system 푃, 푉 for 퐿 is perfect zero-knowledge if ∀푃푃푇 푉∗ ∃푃푃푇 푆 ∀푥 ∈ 퐿 푆 푥 ≅ 푃, 푉∗ 푥 Proposition: 푄푅푁 ∈ PZK • Actually showed “black-box” ZK: ∃푃푃푇 푆 ∀푃푃푇 푉∗ ∀푥 ∈ 퐿 ∗ 푆푉 푥 ≅ 푃, 푉∗ 푥 • We allowed 푆 to run in expected polynomial time • Can we build 푆 with strict polynomial running time? Amplifying soundness P V* ∗ 푆푉 푥 keeps state of partial view Repeat sequentially 푘 = 푝표푙푦 푥 times 피 time 푆 = 2 time 푉∗ ⋮ ACCEPT iff all repetitions are accepting −푝표푙푦 푥 Proposition: 푄푅푁 ∈ PZK w/ soundness error 2 Parallel repetition V* ⋯ ∗ 피 time 푆푉 = 2푘 time 푉∗ Later: • Black-box impossibility • 푉∗ whose view cannot be efficiently simulated Auxiliary input and Composition IP for 푄푅푁 is not ZK P 푥 ∉ 푄푅푁 V Not ZK wrt “auxiliary input” 푧 = 푦2 푏 = 0 푉∗ 푧 : use 푃 to decide if 푧 = 푥푦2 푏 = 1 푧 ∈ 푄푅푁 ∗ 푏′ = 0 푧 ∈ 푄푅푁 푧 is 푉 ‘s auxiliary input 푏′ = 1 푧 ∉ 푄푅푁 Proposition: 푄푅푁 ∈ HVZK Claim: 푃, 푉 is not 푍퐾 (wrt auxiliary input) ZK wrt auxiliary input Definition: An interactive proof 푃, 푉 for 퐿 is (perfect) ZK wrt auxiliary input if ∀푃푃푇 푉∗ ∃푃푃푇 푆 ∀푥 ∈ 퐿 ∀푧 푆 푥, 푧 ≅ 푃, 푉∗ 푧 푥 • 푧 captures “context” in which protocol is executed • Other protocol executions (“environment”) • A-priori information (in particular about 푤) • Simulator is also given the auxiliary input 푧 • Simulator runs in time 푝표푙푦 푥 • Auxiliary input 푧 is essential for composition Sequential composition of ZK P * ∗ V 푃 푉1 Compose sequentially 푃 푉∗ 푘 = 푝표푙푦 푥 times 2 ⋮ ∗ 푃 푉푘 ∗ simulating view of each of 푉푖’s → simulating view of 푉 Sequential composition of ZK Theorem: ZK is closed under sequential composition * P V(x,z) ∗ 푉1 푥, 푧 푉∗ 푆 1 푥,푧 = 풛ퟏ 푉∗ 푥, 푧, 풛 푉∗ 2 ퟏ 푆 2 푥, 푧, 풛ퟏ = 풛ퟐ ⋮ 푉∗ 푥, 푧, 풛 ,… , 풛 푉∗ 푘 ퟏ 풌−ퟏ 푆 푘 푥, 푧, 풛ퟏ,… , 풛풌−ퟏ = 풛풌 푉∗ 푆 푥, 푧 = 풛ퟏ, … , 풛풌 ∗ ∀, 풛풊 ≅ 푃, 푉푖 푧, 풛ퟏ, … , 풛풊−ퟏ 푥 Summary Defined: • NP, P, BPP, IP = PSPACE • PZK, HVZK Saw: • 퐿퐼푁, 푄푅푁, 푆퐴푇 ∈ NP • 푄푅푁 ∈ HVZK • 푄푅푁 ∈ PZK • 푄푅푁 ∈ HVZK • auxiliary input for ZK protocols • sequential composition of ZK protocols Food for Thought What if P=NP? • If P = NP then all 퐿 ∈ NP can be proved in PZK • 푃 sends nothing to 푉, who decides 푥 ∈ 퐿 on his own • But what about ZK within P? • For instance against quadratic time verifiers? Exercise: Suppose 휔 > 2.