Foundation of Cryptography, Lecture 6 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 23, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 1 / 37 Part I Interactive Proofs Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 2 / 37 Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally A proof system NP as a Non-interactive Proofs Definition 1 (NP) L 2NP iff 9 and poly-time algorithmV such that: 8x 2 L there exists w 2 f0; 1g∗ s.t. V(x; w) = 1 V(x; w) = 0 for every x 2=L and w 2 f0; 1g∗ Only jxj counts for the running time ofV. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally NP as a Non-interactive Proofs Definition 1 (NP) L 2NP iff 9 and poly-time algorithmV such that: 8x 2 L there exists w 2 f0; 1g∗ s.t. V(x; w) = 1 V(x; w) = 0 for every x 2=L and w 2 f0; 1g∗ Only jxj counts for the running time ofV. A proof system Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 Soundness holds unconditionally NP as a Non-interactive Proofs Definition 1 (NP) L 2NP iff 9 and poly-time algorithmV such that: 8x 2 L there exists w 2 f0; 1g∗ s.t. V(x; w) = 1 V(x; w) = 0 for every x 2=L and w 2 f0; 1g∗ Only jxj counts for the running time ofV. A proof system Efficient verifier, efficient prover (given the witness) Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 NP as a Non-interactive Proofs Definition 1 (NP) L 2NP iff 9 and poly-time algorithmV such that: 8x 2 L there exists w 2 f0; 1g∗ s.t. V(x; w) = 1 V(x; w) = 0 for every x 2=L and w 2 f0; 1g∗ Only jxj counts for the running time ofV. A proof system Efficient verifier, efficient prover (given the witness) Soundness holds unconditionally Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 3 / 37 IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). Interactive proofs Protocols between efficient verifier and unbounded provers. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). IP = PSPACE! Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). IP = PSPACE! We typically consider (and achieve) perfect completeness. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Interactive proofs Protocols between efficient verifier and unbounded provers. Definition 2 (Interactive proof) A protocol (P; V) is an interactive proof for L, ifV is PPT and: a Completeness 8x 2 L, Pr[h(P; V)(x)iV = 1] ≥ 2=3. Soundness 8x 2=L , and any algorithmP ∗ ∗ Pr[h(P ; V)(x)iV = 1] ≤ 1=3. IP is the class of languages that have interactive proofs. a h(A(a); B(b))(c)iB denoteB’s view in random execution of (A(a); B(b))(c). IP = PSPACE! We typically consider (and achieve) perfect completeness. Negligible “soundness error" achieved via repetition. Sometime we have efficient provers via “auxiliary input". Relaxation: Computationally sound proofs [also known as, interactive arguments]: soundness only guaranteed against efficient( PPT) provers. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 4 / 37 Section 1 Interactive Proof for Graph Non-Isomorphism Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 5 / 37 GI = f(G0; G1): G0 ≡ G1g 2NP Does GN I = f(G0; G1): G0 6≡ G1g 2NP ? We will show a simple interactive proof for GN I Idea: Beer tasting... Graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) GraphsG 0 = ([m]; E0) andG 1 = ([m]; E1) are isomorphic, denotedG 0 ≡ G1, if 9π 2 Πm such that (u; v) 2 E0 iff (π(u); π(v)) 2 E1. Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting... Does GN I = f(G0; G1): G0 6≡ G1g 2NP ? We will show a simple interactive proof for GN I Graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) GraphsG 0 = ([m]; E0) andG 1 = ([m]; E1) are isomorphic, denotedG 0 ≡ G1, if 9π 2 Πm such that (u; v) 2 E0 iff (π(u); π(v)) 2 E1. GI = f(G0; G1): G0 ≡ G1g 2NP Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting... We will show a simple interactive proof for GN I Graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) GraphsG 0 = ([m]; E0) andG 1 = ([m]; E1) are isomorphic, denotedG 0 ≡ G1, if 9π 2 Πm such that (u; v) 2 E0 iff (π(u); π(v)) 2 E1. GI = f(G0; G1): G0 ≡ G1g 2NP Does GN I = f(G0; G1): G0 6≡ G1g 2NP ? Iftach Haitner (TAU) Foundation of Cryptography April 23, 2014 6 / 37 Idea: Beer tasting..