Zero-Knowledge Proofs

Zero-Knowledge ProofsZero-Knowledge Proofs

Ben HospBen Hosp

Classical ProofsClassical Proofs

A proof is an argument for the truth or A proof is an argument for the truth or correctness of an assertion.correctness of an assertion.

A classical proof is an unambiguous A classical proof is an unambiguous demonstration that a statement is true or demonstration that a statement is true or false.false.

Classical Proof SystemsClassical Proof Systems

Suppose we have a language of assertions and Suppose we have a language of assertions and proofs over some finite alphabet.proofs over some finite alphabet. Let L be the language of true assertions, that is, Let L be the language of true assertions, that is,

assertions that have proofs.assertions that have proofs.

We can define a classical proof system for L as We can define a classical proof system for L as an algorithm V such that:an algorithm V such that: True assertions have proofs: if x is in L, then a proof p True assertions have proofs: if x is in L, then a proof p

exists such that V(x,p) = 1.exists such that V(x,p) = 1.The Completeness property.The Completeness property.

False assertions have no proofs: if y is not in L, for all False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0.p* in the proof language, V(y,p*) = 0.

The Soundness propertyThe Soundness property For all x in the assertion language and p in the proof For all x in the assertion language and p in the proof

language, V(x,p) halts in polynomial time.language, V(x,p) halts in polynomial time.The Efficiency property.The Efficiency property.

Graph IsomorphismGraph Isomorphism

G = ([n],E)G = ([n],E)

Perm(G) = ([n], E’)Perm(G) = ([n], E’) E’ = {(Perm(u), Perm(v)): (u,v) is in E}E’ = {(Perm(u), Perm(v)): (u,v) is in E}

If there exists G,H such that Perm(G) = H, If there exists G,H such that Perm(G) = H, then G and H are isomorphic and Perm is then G and H are isomorphic and Perm is an isomorphism between G and H.an isomorphism between G and H.

Classical Proof System for Classical Proof System for Graph IsomorphismGraph Isomorphism

V(Graph G, Graph H, Permutation p) {V(Graph G, Graph H, Permutation p) {

if (p(G) == H) { // O(|[n]|) timeif (p(G) == H) { // O(|[n]|) time

return 1; // accept the proof;return 1; // accept the proof;

else {else {

return 0; // reject the proofreturn 0; // reject the proof

}}

}}

NPNP

A review: NP is the class of problems A review: NP is the class of problems which can be solved with a which can be solved with a nondeterministic-polynomial algorithm.nondeterministic-polynomial algorithm.

for each i in 1…answer.sizefor each i in 1…answer.size

G: answer[i] = guess(i); // magically provides the G: answer[i] = guess(i); // magically provides the

// next bit of the answer// next bit of the answer

if (!verify(answer, i)) // checks that answerif (!verify(answer, i)) // checks that answer

goto G;goto G; // is correct so far in // is correct so far in

end if // polynomial timeend if // polynomial time

end forend for

Classical Proofs are NPClassical Proofs are NP

So NP is exactly the class of languages So NP is exactly the class of languages with classical proof systems.with classical proof systems.

If we have an assertion, we can verify any If we have an assertion, we can verify any proof for it in polynomial time.proof for it in polynomial time.

The problem “Is x is in L” is in NP.The problem “Is x is in L” is in NP.

What Is A Proof?What Is A Proof?

What Do You Learn From A What Do You Learn From A Proof?Proof?

A lot more than the truth of an assertion.A lot more than the truth of an assertion. You learn enough to convince others of the truth of You learn enough to convince others of the truth of

that assertion.that assertion.

The “classical” way to prove “There exists x...” The “classical” way to prove “There exists x...” is to provide an example of x.is to provide an example of x. What if you want to prove:What if you want to prove:

““There exists x”There exists x”

““I know x”I know x”

Without telling you x or (ideally) any information about x.Without telling you x or (ideally) any information about x.

Ali Baba’s CaveAli Baba’s Cave

There is a magic cave There is a magic cave like this:like this:

But Ali Baba knows But Ali Baba knows there is a secret door there is a secret door here:here:

Ali Baba knows the Ali Baba knows the cave is a loop, but no cave is a loop, but no one else does.one else does.

Ali Baba’s CaveAli Baba’s Cave

How can Ali Baba prove to you that the How can Ali Baba prove to you that the magic door exists?magic door exists? Classical proof would give away the secret.Classical proof would give away the secret.

But Ali Baba can convince you the door But Ali Baba can convince you the door exists by having you watch him go down exists by having you watch him go down one tunnel and come out the other.one tunnel and come out the other.

We need a new class of proofs.We need a new class of proofs.

Interactive ProofsInteractive ProofsInteractive proofs are based on the interaction Interactive proofs are based on the interaction between a prover P with a verifier V.between a prover P with a verifier V. P wants to prove something to the verifier.P wants to prove something to the verifier.

An interaction protocol is a pair of functions An interaction protocol is a pair of functions mapping strings to strings.mapping strings to strings. In other words, it defines the messages P will send V In other words, it defines the messages P will send V

and V will send P in terms of the last recieved and V will send P in terms of the last recieved message.message.

In general, P will give V some commitment, then V will In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response.reject or accept the proof based on P’s response.

Probabilistic ProofsProbabilistic ProofsProofs based on interactive protocols are Proofs based on interactive protocols are probabilistic.probabilistic. There is generally a chance that the Verifier will reject There is generally a chance that the Verifier will reject

some valid proofs or accept some invalid ones.some valid proofs or accept some invalid ones.We can define a We can define a probalisticprobalistic proof system for L as an proof system for L as an interactive protocol (P,V) interactive protocol (P,V) such that: such that:

For all x in the assertion language For all x in the assertion language (P,V)(x) (P,V)(x) halts in polynomial halts in polynomial time.time.

The Efficiency property.The Efficiency property. If x is in L, then If x is in L, then (P,V)(x) accepts with probability at least (P,V)(x) accepts with probability at least

The Completeness property.The Completeness property. If y is not in L, then If y is not in L, then (P,V)(x) accepts with probability at most (P,V)(x) accepts with probability at most

The Soundness propertyThe Soundness property Where 1 >= Where 1 >= > > >= 0 >= 0

We can repeat such a proof multiple times to make the chance of We can repeat such a proof multiple times to make the chance of false positive or negative negligible.false positive or negative negligible.

IPIP

IP is the class of languages with IP is the class of languages with Interactive (Probabilistic) proofs.Interactive (Probabilistic) proofs.

NP is a subset of IPNP is a subset of IP P can send V a classical proof to checkP can send V a classical proof to check

IP is thought to be a strict superset of NPIP is thought to be a strict superset of NP

Graph Non-IsomorphismGraph Non-IsomorphismNo classical proof system is known for the question No classical proof system is known for the question of whether graphs G and H are of whether graphs G and H are nonnon-isomorphic.-isomorphic. We can check all possible permutations of G but this We can check all possible permutations of G but this

takes exponential time.takes exponential time.

Observations on this problem:Observations on this problem: Let ICP(G) be the set of isomorphic copies of the G.Let ICP(G) be the set of isomorphic copies of the G. If G and H are non-isomorphic, then ICP(G) and ICP(H) If G and H are non-isomorphic, then ICP(G) and ICP(H)

are disjoint.are disjoint. If G and H are isomorphic, then it is impossible to tell a If G and H are isomorphic, then it is impossible to tell a

random selection from ICP(G) and a random selection random selection from ICP(G) and a random selection from ICP(H) apart.from ICP(H) apart.

Because ICP(G) = ICP(H)Because ICP(G) = ICP(H)

Interactive Proof System Interactive Proof System for Graph Non-Isomorphismfor Graph Non-Isomorphism

Suppose we have GSuppose we have G00=([n],E=([n],E00) and G) and G11=([n],E=([n],E11).).

V randomly selects C = GV randomly selects C = G0 0 or Gor G11, and a , and a permutation p. V sends p(C) to P.permutation p. V sends p(C) to P.P determines whether p(C) is an isomorphic P determines whether p(C) is an isomorphic copy of Gcopy of G0 0 or Gor G11, and sends that back to V., and sends that back to V.

If V receives the same graph as it chose, it If V receives the same graph as it chose, it accepts P’s proof that Gaccepts P’s proof that G0 0 and Gand G1 1 are non-are non-isomorphic, otherwise it rejects.isomorphic, otherwise it rejects. V has demonstrated the ability to tell the difference V has demonstrated the ability to tell the difference

between elements of ICP(Gbetween elements of ICP(G00) and ICP(G) and ICP(G11).).

Zero-Knowledge ProofsZero-Knowledge Proofs

P is going to prove an assertion to V without P is going to prove an assertion to V without giving V any information other than the truth of giving V any information other than the truth of the assertion.the assertion.

In other words, V can simulate a proof of the In other words, V can simulate a proof of the assertion and get something that is assertion and get something that is computationally indistinguishable from a proof V computationally indistinguishable from a proof V actually got from P.actually got from P.

V does not even learn enough to prove the V does not even learn enough to prove the assertion to another party.assertion to another party.

NP is a subset of ZPNP is a subset of ZPEvery language with a classical proof Every language with a classical proof system has a zero-knowledge proof system.system has a zero-knowledge proof system.Consider the graph 3-coloring problem:Consider the graph 3-coloring problem: G=([n],E), we can define C:[n]->{R,G,B} such G=([n],E), we can define C:[n]->{R,G,B} such

that if (x,y) is in E, C(x) is different from C(y).that if (x,y) is in E, C(x) is different from C(y).

A classical proof that a graph has a 3-A classical proof that a graph has a 3-coloring is such a 3-coloring.coloring is such a 3-coloring.How can we prove a 3-coloring exists How can we prove a 3-coloring exists without revealing any information about it?without revealing any information about it?

Zero-Knowledge Proof Zero-Knowledge Proof System for Graph 3-coloringSystem for Graph 3-coloring

G=([n],E).G=([n],E).

P knows that C is a 3-coloring of G.P knows that C is a 3-coloring of G.

V randomly chooses (x,y) in E and sends it V randomly chooses (x,y) in E and sends it to P.to P.

P sends CP sends Cxx and C and Cyy to V. to V.

V rejects if CV rejects if Cxx = C = Cyy and accepts otherwise. and accepts otherwise.


G=([n],E).G=([n],E).P knows that C is a 3-coloring of G.P knows that C is a 3-coloring of G.For each vertex v in [n], P encrypts it with For each vertex v in [n], P encrypts it with a key Ka key Kvv, and sends E, and sends EKvKv(C(v)) to V.(C(v)) to V.

V randomly chooses (x,y) in E and sends it V randomly chooses (x,y) in E and sends it to P.to P.

P sends KP sends Kxx and K and Kyy to V. to V.

V rejects if V rejects if DDKxKx(E(EKxKx(C(x))=D(C(x))=DKyKy(E(EKyKy(C(y))(C(y)), , and accepts otherwise.and accepts otherwise.


G=([n],E).G=([n],E).P knows that C is a 3-coloring of G.P knows that C is a 3-coloring of G.P randomly chooses p, a permutation of {R,G,B}. P randomly chooses p, a permutation of {R,G,B}. Clearly p(C) = C’ is also a 3-coloring of G.Clearly p(C) = C’ is also a 3-coloring of G.For each vertex v in [n], P encrypts it with a key For each vertex v in [n], P encrypts it with a key KKvv, and sends E, and sends EKvKv(C(C’’(v)) to V.(v)) to V.

V randomly chooses (x,y) in E and sends it to P.V randomly chooses (x,y) in E and sends it to P.

P sends KP sends Kxx and K and Kyy to V. to V.

V rejects if DV rejects if DKxKx(E(EKxKx(C(C’’(x))=D(x))=DKyKy(E(EKyKy(C(C’’(y)), and (y)), and accepts otherwise.accepts otherwise.


Since p(C)=C’ is a proper 3-coloring of G, C’(x) Since p(C)=C’ is a proper 3-coloring of G, C’(x) will never equal C’(y) if x and y are adjacent.will never equal C’(y) if x and y are adjacent.If C is not a proper 3-coloring of G, C’(x) will If C is not a proper 3-coloring of G, C’(x) will sometimes equal C’(y) when x and y are sometimes equal C’(y) when x and y are adjacent.adjacent. We can repeat this protocol enough times to make the We can repeat this protocol enough times to make the

chance of false acceptance or rejection negligible.chance of false acceptance or rejection negligible.

V has learned whether a 3-coloring of G exists, V has learned whether a 3-coloring of G exists, but nothing about it.but nothing about it. The only information V has received from P is 2 The only information V has received from P is 2

distinct colors.distinct colors. V could have generated that information on its own.V could have generated that information on its own.

Documents

Zero-Knowledge Proofs