Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Lecture 4.
Zero
.
Knowledge
Henry Corrigan-
Gibbs
Cs 355 -
Spring2019
Phan April 10,2019
-
Reap: Interactive proofs
- Zero knowledge
* What it is
*
Whyit's useful
* How we define
it
-
Example'
- Zk Proof for HAMCYLLE
Reminders
→ Hb 1 Lue Friday at 5pm vin Gratescope
↳ Come to OHtoday
?
→ Lateday policy
today
-
We will be discussing the most beautiful
idea in all of CS. Maybe
of all time ?
E Controversial but still true
- Zeroknowledge
- How to
proveto
youthat I know
Something (e.g . 4 is SAD
without leaking anythingelse Is
you( SAT
assignment)
-
Amazinglyclever
,
also useful in
many crypto
protocols.
→ Lesson :
Importance of definitions .
OriginalZk
paperis important
b/c of Lefts of 7k,
not because of theSpecific constructions
.
↳ Defa is>
'
h the battle
→ Paperrejected
3 l I think ) times before published
↳ Lesson?
Goldwasser,
Micah, Rakoff ( stoc
,
-85)
Recap : Interactiveproofs-
soonMonday,
Florian introduced interactiveproofs
Goal of a proof: Convince someone of
something-
-"
the verifier
"
"
statement"
In complexity theory,
we consider statements of theform
:
"
x c- L
"
- a
instancelanguage
Examples:
"
N is theproduct of
exactlytwo
primes
NG { pgI
primes pig }
"
The Pythagorean Them is true.
"
PYTNTME g
true statements in
Some formal system)
"
4 is a unsatisfiable SAT formula
's
4 E { set of unsatisfiable SATinstances
"
Recaps
Conventional Proof
Prover ( x ) Verifier ( x )
I Itt
"
accept'
or
"
rejects
?
-
yr mightbe hard to find (
exponentialtime )
deterministic-
an should beeasy
to check Ipolynomial
time
, verifier )
Say that we want toprove
that XEL.
Can do So w/
a conventional ⇐ L is an NP
proof language
e.
g .
toprove
that $ is SAT,
P sends Satisfying
assignmentto V
.
Blum NP="
nifty proof
"
Recap What if we allow P & V to
intent
?
What if Vcan use ran↳?
Verifier I x )
TT→
c-
→
#Can inverse
"
accept'
or
to I.
"
reject
'
↳
Profitmputene.int v. ×eL Prc v > Cx) =
"
accept
"
]±%2. Soundness
¥×p$Lprccpx.DK )
iaccept
"
]s%.
Can reduce toI
negligiblew/
repetition .
Q :
Why is interaction useful?
A1 : ( OnMonday )
IPcaptures
a largerclass of problems .
↳ PSPACE. . .
proveto
youtheir a
graphis
NOT
A 2 ! (Today)
3- COLORABLE!
Interactiveproofs
aan havea
third
surprising property .
Properties we want
3.
Zero knowledge V
"
learnsnothing
"
fromher interaction with P
,
exceptthat xe L
.
[Huh ? What does this
even mean?
Application : Canprove
to
youthat I executed some
protocol correctlywithout
revealing any
ofmy
Secrets .
Defer of Zk used to define securityin
manyprotocols
↳ want to show that"
nothing leaks"
①
:
What does itmean
to
"
learn nothing
"
from
an interaction?
Ex.
Me in 7thgrade
-
Ex. Military spokesperson .
INTUITION : If Vcan easily write down a transcript
of its intonation with P,
then V hasn't
learnedanything useful from P.
t÷÷q*÷
:*.
Ifyou
can simulate the cow .
transcript, noneed to have it at all !
↳Applications in real life
?
TheSurprising thing
is that there is a
veryclean
wayto formalize this intuition
3.
Zero knowledge: t efficient
VT I efficient Sin
St.
V.x c- L
{ View . ( Rx) VID ) - { Sim Cx ) }
q
Thereare diff flavors
of Zk
( :÷÷÷÷÷÷:
Intuition :
- whatever Vcan learn
by interning w/ P,
it
can learnsitting
at home by runningsin
.
-
f V* Mee"
I heard that
Dad
.¥*÷
in.
[I
"
fine
"
→
-
key to remember :
Input to Simessentially captures
what the CP,V ) interaction leaks.
:÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷:"
]
ZkProtocdfnHamyde [ Blum -871? l
)
-
Ham Cycle is an NP-Complete problem
{Gn?!!?
.
oh
↳
Anything provable ( in NP) is
provable
K
Wigtasg;↳ Reduce tohlawgde instance
,
use this protocol .
Intheory
,
carpair
to
youthat I Know an Oday
in iOS without revealing
itis you? And
so on.
. . .
Reminder i
Desai of Ham Gale
G = ( V
,
E ) undirectedgraph
2
(÷:ds¥rakuten.me )See Knuth ( linked from course website) for fun
history of thisproblem
.
Hsm Cycle :{ GIG has a Hamiltoniancycle }
Adjacency
Mattix
, y s 6
I O I I I O Or
( s . :
::::::
a ÷::isee .
)S O I o O O I
GO O
I0 I
0
Trivial Protocol
i÷÷÷÷i÷÷÷:÷÷÷
Zkprotool (Blunt
following Blum,
we'llimagine
that P can send V
"
looked boxes ;
which we
implementw/
cryptographiccommitments .
Prover (G) Verifier ( G)-
-
* Put each of then vertices Y
,
. .. in
into n
boxesBy .
. .
,
Bn in random order .
* Into box Bij ,
put
}I
if vertices in B;
and B;
are
adjacent in G
O.
o.
W.
Bi 's =
relabeling of vertices
Bij 's =
adj .
matrix under relabeling
Send theht
(2) boxes
-
Flip acoin b←49B
If
bso
:
"
Show me G
!If bsl
:
"
Show me thecycle
'!
-
If b-
- O : Unlock all boxes-
Check :
If be I : Unlock anyboxes b=0 Got a
perm
correspondingto Ham Cycle in 4
. of adj .
nutria
bsl.
Got a cycle
Accept if so.
Some Comments msg
- Boxcontains
m
I
Sone particular
←& type
of hash fu .
• TXHlm
,r )
Imagine.
T=
→-
Key
A= ( m ,r )
→-
Properties
✓I
. Complete .
2.
Sound.
If Get Ham Cycle,
thenno matter what Pt
puts
in boxes,
V willreject up
?
'
h.
3.
Zev. knowledge .
Ve construct eff Sim.
Sim ( G c- Ham Cycle )
-
Guess 5 I lost } .
- If 5=0,
But randomperm
of Adj out in Boxes
- 5=1, put
randomperm
ofcycle in Boxes
.
- Run b ← V't
( G,
Boxe . )
-
If
btb,
Abort.
-
Else, open
boxes perV* 's
request
-
Output ( G,
Boxes,
b,
Keys to boxes )
as transcript.
["
¥E;÷÷÷¥÷:.tk?Tm.:taf:')
Life lessons to remember
-
efficiently
* Ifyou
can
,
simulate an interaction.
you
haven'tlearned anything useful from
it.
↳
Ideally doesn't applyto this lecture .
*Input
to simulator = what leaks.
* Anything that hasa traditional CNP)
proof
also hasa Zero knowledge proof system .