Theory of Computer Science to Msc Students, Spring 2007 Lecture 10 Lecturer: Dorit Aharonov Scribe: Elad Dinur and Eran Bringer Revised: Shahar Dobzinski, July 2007 1 Interactive Proof System (Prover-Veri¯er interaction) An interactive proof system is an abstract machine that models computation as the ex- change of messages between two parties. he parties, the veri¯er and the prover, interact by exchanging messages in order to ascertain whether a given string x belongs to a language L. The prover is all-powerful, with unlimited computational resources while the veri¯er has bounded computation power (polynomial), but is allowed to flip random coins. Messages are sent between the veri¯er and prover until the veri¯er has an answer to the problem and has \convinced" itself that it is correct. Formally, a language L has an interactive proof system (L 2 IP ) if: ² Completeness: If x 2 L then the veri¯er accepts with probability 1. 1 ² Soundness: If x2 = L then the veri¯er accepts with probability of at most 2 . Trivially, an NP language can be decided by an interactive proof system with one round, by just sending the proof to the veri¯er. It is also clear the if the veri¯er is deterministic, then there is no need to use more than one round (the prover can just simulate the queries of the veri¯er, and send them all in the ¯rst round). However, it turns out the the class IP is much more powerful. 2 Graph ¡ Non ¡ Isomorphism 2 IP Let us consider the following problem, Graph-Non-Isomorphism (GNI): we are given two graphs G1 and G0, and we have to decide whether the graphs are isomorphic. This problem is in CoNP, since Graph-Isomorphism is in NP (we can show a permutation as a proof of isomorphism). It is not known whether GNI is in NP, and this is unlikely to be true. Yet, we will show that GNI 2 IP . The protocol goes as follows. The veri¯er selects uniformly at random a bit b. Then, the veri¯er selects uniformly at random a permutation ¦, and sends the permuted graph ¼Gb to the prover. The prover then answers with the value of b. The veri¯er accepts if and only if the prover answers with the correct value of b. To see that the above protocol indeed proves that GNI 2 IP , we have to show that if x 2 L then the veri¯er always accepts, otherwise the prover rejects with probability of 10-1 1 at least 2 . Suppose that x 2 L. The prover gets a graph that is a permutation of one of the graphs and has to decide which graph is it. This graph belongs to one of the two disjoint sets: the set of all graphs that are isomorphic to G0, and the set of all graphs that are isomorphic to G1 (observe that here we assume that the two graphs are indeed not isomorphic, and thus the two sets are disjoint). The prover is all powerful, so it can ¯nd which graph ¼Gb is isomorphic to, thus ¯nding the value of b, as needed. Suppose that x2 = L. That is, the two graphs are isomorphic. Thus, the prover has now way of determining the value of b, as the graph he got from the veri¯er is a permutation of 1 both G0 and G1. Thus, with probability of at least 2 , the prover will return an incorrect guess of b, and the veri¯er will reject. 3 Zero-Knowledge Proofs In fact, a close look at the above protocol reveals a very interesting property: if x 2 L then the veri¯er learns no new information about the proof. In fact, a close look at the above protocol reveals a very interesting property. In x 2 L then the veri¯er learns no new information about WHY it is true that x 2 L! There are very interesting possibilities of using this for cryptography: If you get convinced but learn nothing, then this would mean that you cannot prove it yourself to somebody else. This for example can be used to authenticate yourself, in a convincing way, but in such a way that nobody can use your proof to present themselves as you. This raises a very interesting concept: proofs which reveal nothing but the validity of a certain statement. So, you can get convinced but learn nothing about the REASON for something to be true! Think of the possibilities: Andrew Wiles can send his work on Fermat's last theorem to a respectful mathematical journal, and the referees can be convinced that he indeed correctly proved the theorem, but learn no information at all about the proof itself. We ¯rst have to be careful about how to de¯ne this property, and we do it by introducing the notion of a simulator. A simulator for an interactive-proof system ZK is a probabilistic polynomial-time algorithm A such that if x 2 L then the for all transcripts Y , we have that Pr[ZK(x) = Y ] = Pr[A(x) = Y ]. If an interactive proof protocol has a simulator, then this protocol is a zero-knowledge protocol. The idea is that veri¯er gets no new information from interacting with the prover { he can just run A instead. For example, the simulator for the GNI problem is simple: select a bit b and a permutation of Gb at random, and return the value of b (instead of the prover). It is also possible to de¯ne a class of statistical zero-knowledge proofs, where the simu- lator is not perfect but is very close to the real interaction with very small probability, but this is outside the scope of this course. Another remark is that above we assumed that the veri¯er is honest, that is obeys the protocol. However, it turns out that it is possible to make any zero-knowledge protocol to a protocol that is resistent also against cheating veri¯ers. 10-2 4 Graph ¡ Isomorphism 2 IP We now describe a zero knowledge protocol for graph-isomorphism. In this protocol, the prover ¯rst selects uniformly at random a bit b and a random permutation ¼, and sends the 0 veri¯er the permuted graph ¼Gb . The veri¯er selects uniformly at random a bit b and sends 0 0 it to the prover. The prover has to answer with a permutation ¼ such that ¼ = Gb. Gb0 If x 2 L, then the veri¯er will accepts with probability 1. This is because G0, G1, and 0 ¼Gb are isomorphic to each other, so the veri¯er can ¯nd the right permutation ¼ . If x2 = L 1 0 0 then with probability 2 , ¼Gb is not isomorphic to Gb , and thus a permutation ¼ does not exist. We want to show that this is a zero-knowledge protocol, and for that we need to show there exists a simulator for this protocol. The simulator works in the following way: choose 0 a random bit b, and a permutation ¼ , and let the ¯rst message be ¼Gb . Now let b be the message of the veri¯er, and ¼ the ¯nal message of the prover. 5 NP 2 ZK? We now show that every language that is in NP has a zero knowledge proof. However, for that we will need to assume the existence of a cryptographic primitive, called bit com- mitment. This primitive exists under common cryptographic assumption, such that the existence of one way functions. In other words, we cannot provide strictly zero-knowledge proofs for NPC problems. But we can provide them under some computational assumption, e.g, that factoring is hard (which can be used to design some cryptographic primitive called bit commitment, which we will soon explain). The proofs will not be ZERO knowledge, in the information theoretic sense, but they will be computationally zero knowledge - namely, a computationally bounded veri¯er will learn nothing. A bit-commitment protocol is a protocol in which Alice commits on a bit. That is, Bob is guaranteed that Alice can not change this bit, but still Bob does not know the value of the bit. Given the existence of bit-commitments protocols, let us show that every language in NP has a zero-knowledge proof. Speci¯cally, we show it for 3¡COL, the language in which we are given a graph G and we have to decide whether G can be colored using 3 colors only. In the beginning of the protocol, the prover ¯nds a legal coloring of the graph, selects uniformly at random a permuting of the colors, and commits on that coloring of the n vertices of the graph. The veri¯er selects uniformly at random two adjacent vertices in the graph and asks the prover to reveal their coloring. If the edges are colored in di®erent edges, then the veri¯er rejects, otherwise he accepts. Clearly, if there is a legal coloring then the prover accepts with probability 1. If the graph cannot be colored in 3 colors, then in any coloring at least one edge is colored incorrectly, 10-3 1 and we will query the respective vertices with probability of at least n2 . Thus, in this case 1 the veri¯er rejects with probability of at least 1 ¡ n2 . This probability can be decreased by repeating the protocol enough times. We have to show that this is a zero-knowledge protocol. For that, observe since if G is indeed 3-colorable, then the veri¯er just know that a pair of adjacent verities are colored in di®erent colors.