the 29th annual acm-icpc world finals

11

The 29th AnnualThe 29th AnnualACM-ICPC World Finals ACM-ICPC World Finals

1. Shanghai Jiaotong University1. Shanghai Jiaotong University

2. Moscow State University2. Moscow State University

3. St. Petersburg Institute of Fine Mechanics 3. St. Petersburg Institute of Fine Mechanics and Optics and Optics

4. University of Waterloo4. University of Waterloo……

17. St. Petersburg State University17. St. Petersburg State University

Zero Knowledge Proofs and Zero Knowledge Proofs and ProtocolsProtocols

Nikolay VyahhNikolay VyahhiiSt. Petersburg State UniversitySt. Petersburg State University

Joint Advanced Student[s] School 2005Joint Advanced Student[s] School 2005

A proof is whatever convinces me.A proof is whatever convinces me.Shimon Even, 1978Shimon Even, 1978

33

Example (graph 3-coloring)Example (graph 3-coloring)

Problem (G3C):Problem (G3C): Given a graph, color its vertices with red, Given a graph, color its vertices with red, greengreen, blue such that if any two vertices are joined by an , blue such that if any two vertices are joined by an edge then they receive different colors.edge then they receive different colors.

(13/14(13/14 )) == 0,9290,929(13/14)(13/14)1010 == 0,4770,477(13/14)(13/14)100100 == 6,047*106,047*10-4-4

(13/14)(13/14)10001000 == 6,536*106,536*10-33-33

Probability, that A can cheat (when B opened nProbability, that A can cheat (when B opened n22 edges) at edges) at most:most:

(1-1/n)(1-1/n)nn22 e e-n-n

44

AgendaAgenda IntroductionIntroduction

Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems

Examples:Examples:• GIGI• GNIGNI• QNRQNR

Related papersRelated papers

ExercisesExercises

55





ExercisesExercises

66

IntroductionIntroduction

Conception of Zero-Knowledge ProofsConception of Zero-Knowledge Proofs

77

IntroductionIntroduction Applications:Applications:

• authentication // user proves to system, that he authentication // user proves to system, that he is valid useris valid user

Weakness: Adversary E can prove to B, that she is A, just Weakness: Adversary E can prove to B, that she is A, just by asking A to prove it to her and simulating this by asking A to prove it to her and simulating this protocol with B.protocol with B.

• protecting against chosen message attackprotecting against chosen message attackby augmenting the ciphertext by a zero-knowledge proof by augmenting the ciphertext by a zero-knowledge proof of knowledge of the cleartext.of knowledge of the cleartext.

• non-oblivious commitment schemesnon-oblivious commitment schemes

• ……

88





ExercisesExercises

99

Interactive Proof SystemsInteractive Proof Systems

Intuitively, what should we require from an efficient Intuitively, what should we require from an efficient theorem-proving procedure?theorem-proving procedure?

1.1. That it should be possible to “prove” a true theorem.That it should be possible to “prove” a true theorem.2.2. That it should be impossible to “prove” a false theorem.That it should be impossible to “prove” a false theorem.3.3. That communicating the “proof” should be efficient. Namely That communicating the “proof” should be efficient. Namely

regardless of how much time it takes to come up with the regardless of how much time it takes to come up with the proof, its correctness should be efficiently verified.proof, its correctness should be efficiently verified.

More formal. An More formal. An interactive Turing machineinteractive Turing machine (ITM) is a (ITM) is a Turing machine equipped with read-only input tape, a work Turing machine equipped with read-only input tape, a work tape, a random tape, one read-only and one write-only tape, a random tape, one read-only and one write-only communication tapes. The random tape contains an communication tapes. The random tape contains an infinite sequence of random bits, and can be scanned only infinite sequence of random bits, and can be scanned only from left to right.from left to right.

1010

Interactive Proof SystemsInteractive Proof Systems

Interactive Turing MachineInteractive Turing Machine

1111

Interactive ProtocolInteractive Protocol

An An interactive protocolinteractive protocol is an ordered pair of ITM’s A is an ordered pair of ITM’s A (prover) and B (verifier) such that A and B share the same (prover) and B (verifier) such that A and B share the same input tape, B’s write-only communication tape is A’s read-input tape, B’s write-only communication tape is A’s read-only communication tape and vice versa. only communication tape and vice versa.

Machine A is not computationally bounded, while B is Machine A is not computationally bounded, while B is bounded by a polynomial in the length of common input.bounded by a polynomial in the length of common input.

The two machines take turns in being active, with B being The two machines take turns in being active, with B being active first. During an active stage A(B) first perform some active first. During an active stage A(B) first perform some internal computation using its tapes; and, second, it writes internal computation using its tapes; and, second, it writes a string (for B(A)) on its write-only communication tape. a string (for B(A)) on its write-only communication tape. Then it deactivates and machine B(A) becomes active.Then it deactivates and machine B(A) becomes active.

Machine BMachine B accepts (or rejects) the input by outputting accepts (or rejects) the input by outputting “accept”“accept” (or (or “reject”“reject”) and terminating the protocol.) and terminating the protocol.

1212

Interactive ProtocolInteractive Protocol

Interactive Turing MachinesInteractive Turing Machines

1313

Interactive Proof SystemsInteractive Proof Systems An interactive protocol (A,B) is called an An interactive protocol (A,B) is called an interactive proof interactive proof

systemsystem for language L over {0,1}* if we have the for language L over {0,1}* if we have the following:following:

1.1. For each k, for sufficiently large x in L given as input to (A,B), B For each k, for sufficiently large x in L given as input to (A,B), B halts and accepts with probability at least 1-|x|halts and accepts with probability at least 1-|x|-k-k..

2.2. For each k, for sufficiently large x NOT in L, for any ITM A’, on For each k, for sufficiently large x NOT in L, for any ITM A’, on input x to (A’,B), B accepts with probability at most |x|input x to (A’,B), B accepts with probability at most |x| -k-k..

The probabilities here are taken over the readings of The probabilities here are taken over the readings of random bits of A and B.random bits of A and B.

Interactive Polynomial time (IP)Interactive Polynomial time (IP) is the class of is the class of languages for which there exists interactive proof system.languages for which there exists interactive proof system.

1414





ExercisesExercises

1515

Zero-KnowledgeZero-Knowledge

For every polynomial time B’, the For every polynomial time B’, the distribution that B’ “sees” on all its distribution that B’ “sees” on all its tapes, when interacting with A on tapes, when interacting with A on input xinput x∈∈L, is “indistinguishable” from L, is “indistinguishable” from a distribution that can be computed a distribution that can be computed from x in polynomial time.from x in polynomial time.

1616

Example (QNR)Example (QNR)Problem (QNR): Problem (QNR): QNR = { QNR = { ((x,y) | y is quadratic nonresidue mod x }x,y) | y is quadratic nonresidue mod x }. .

There is no such z, that y = zThere is no such z, that y = z22 mod x. mod x.

So let’s try to prove with zero-knowledge for some y, that it is So let’s try to prove with zero-knowledge for some y, that it is from QNR. With prover A, verifier B, input (x,y) and |x|=n. from QNR. With prover A, verifier B, input (x,y) and |x|=n.

1.1. B begins by flipping coins to obtain random bits bB begins by flipping coins to obtain random bits b11,b,b22,…,b,…,bnn..2.2. Then B flips additional coins for obtaining random zThen B flips additional coins for obtaining random z11,z,z22…z…znn

(0<z(0<zii<x and gcd(z<x and gcd(zii,x)=1 for each z,x)=1 for each zii).).3.3. B computes wB computes w11,w,w22,…,w,…,wnn as follows: as follows:

• wwii = (z = (zii22) mod x, if b) mod x, if bii=0=0

• wwii = (z = (zii22y) mod x, otherwise, if by) mod x, otherwise, if bii=1=1

4.4. B sends wB sends w11,w,w22,…,w,…,wnn to A. to A.5.5. A computes (somehow) for each i whether or not wA computes (somehow) for each i whether or not w ii is quadratic is quadratic

residue mod x, and sends this information (cresidue mod x, and sends this information (c11,c,c22,…,c,…,cnn) to B.) to B.6.6. B checks if bB checks if bii=c=cii for every i, and if so is “convinced” that for every i, and if so is “convinced” that

(x,y)(x,y)∈∈QNR.QNR.

1717

Example (QNR)Example (QNR)

Is it zero-knowledge?Is it zero-knowledge?

NO!NO!

Why?Why?

1818


What if B were to cheat? B could begin by setting What if B were to cheat? B could begin by setting ww11=42 for example, and then behave correctly. =42 for example, and then behave correctly. So, B can compute whether or not 42 is a So, B can compute whether or not 42 is a quadratic residue x, given x and a quadratic quadratic residue x, given x and a quadratic nonresidue y. At this time it is not known how nonresidue y. At this time it is not known how compute this in polynomial time, so this proof compute this in polynomial time, so this proof system may not be zero-knowledge!system may not be zero-knowledge!

1919





ExercisesExercises

2020

Indistinguishability of Random Indistinguishability of Random VariablesVariables

Consider families of random variables Consider families of random variables U = {U(x)}U = {U(x)}, where , where xx∈∈L, a particular subset of {0,1}*, and all random variables L, a particular subset of {0,1}*, and all random variables take values in {0,1}*.take values in {0,1}*.

Let Let U(x)U(x) and and V(x)V(x) be two families of random variables. be two families of random variables.

We want to express the fact that, when the length of x We want to express the fact that, when the length of x increases, U(x) essentially becomes increases, U(x) essentially becomes “replaceable”“replaceable” by by V(x).V(x).

So, a random sample is selected form U(x) or from V(x) and So, a random sample is selected form U(x) or from V(x) and it is handed to a it is handed to a “judge”“judge”. After studying the sample, he . After studying the sample, he proclaims, from which families our sample is.proclaims, from which families our sample is.

2121

Indistinguishability of Random Indistinguishability of Random VariablesVariables

Two families of random variables {U(x)} and {V(x)} are:Two families of random variables {U(x)} and {V(x)} are:

EqualEqual if the judge’s verdict will be meaningless even if he if the judge’s verdict will be meaningless even if he is given samples of arbitrary size and he can study them for is given samples of arbitrary size and he can study them for an arbitrary amount of time.an arbitrary amount of time.

Statically indistinguishableStatically indistinguishable if the judge’s verdict if the judge’s verdict became meaningless when he is given an infinite amount of became meaningless when he is given an infinite amount of time but only random, polynomial (in |x|) size samples to time but only random, polynomial (in |x|) size samples to work on.work on.

Computationally indistinguishableComputationally indistinguishable if the judge’s verdict if the judge’s verdict become meaningless when he is only given polynomial (|become meaningless when he is only given polynomial (|x|)-size samples and polynomial (|x|) time.x|)-size samples and polynomial (|x|) time.

2222





ExercisesExercises

2323

Approximability of Random Approximability of Random VariablesVariables

Let M be a probabilistic Turing machine that on input x Let M be a probabilistic Turing machine that on input x always halts. We denote by always halts. We denote by M(x) M(x) the random variable that, the random variable that, for each string, which is equal to for each string, which is equal to αα, have the same , have the same probability that M on input x outputs probability that M on input x outputs αα..

U is U is perfectly approximableperfectly approximable on L if there exist a on L if there exist a probabilistic Turing machine M, running expected probabilistic Turing machine M, running expected polynomial time, such that for all xpolynomial time, such that for all x∈∈L, M(x) is equal to U(x).L, M(x) is equal to U(x).

U is U is statically (computationally) approximablestatically (computationally) approximable on L if on L if there exist a probabilistic Turing machine M, running there exist a probabilistic Turing machine M, running expected polynomial time, such that for families of random expected polynomial time, such that for families of random variables {M(x)} and {U(x)} are statically (computationally) variables {M(x)} and {U(x)} are statically (computationally) indistinguishable on L.indistinguishable on L.

2424





ExercisesExercises

2525


ITM B’ has an extra input tape H, which length is bounded ITM B’ has an extra input tape H, which length is bounded above be a polynomial in the length of x.above be a polynomial in the length of x.

When B’ interacts with A, A sees only x on its tape, whereas When B’ interacts with A, A sees only x on its tape, whereas B’ sees (x,H).B’ sees (x,H).

So H is a some knowledge about x that the cheating B’ So H is a some knowledge about x that the cheating B’ already possess. Or H can be considered as the history of already possess. Or H can be considered as the history of previous interactions that B’ is trying to use to get previous interactions that B’ is trying to use to get knowledge from A.knowledge from A.

Let Let ViewViewA,B’A,B’(x,H) be the random variables whose value is (x,H) be the random variables whose value is view of B’ (random tape, messages between parties, view of B’ (random tape, messages between parties, private tape). For convenience, we consider each view to be private tape). For convenience, we consider each view to be a string from {0,1}* of length |x|a string from {0,1}* of length |x|cc for some fixed c>0 for some fixed c>0..

2626


Interactive Turing MachinesInteractive Turing Machines

2727


Let L be a language and (A,B) a protocol. Let B’ be as Let L be a language and (A,B) a protocol. Let B’ be as above. We say that (A,B) is above. We say that (A,B) is perfectly (statically) perfectly (statically) (computationally) zero-knowledge(computationally) zero-knowledge on L for B’ if the on L for B’ if the family of random variables Viewfamily of random variables ViewA,BA,B is perfectly (statically) is perfectly (statically) (computationally) approximable on (computationally) approximable on

L’ = { (x,H) | xL’ = { (x,H) | x∈∈L and |H|=|x|L and |H|=|x|cc}}

We say that interactive protocol (A,B) if We say that interactive protocol (A,B) if perfectly perfectly (statically) (computationally) zero-knowledge(statically) (computationally) zero-knowledge on L if it on L if it is perfectly (statically) (computationally) zero-knowledge on is perfectly (statically) (computationally) zero-knowledge on L for all probabilistic polynomial time ITM B’. Note, that this L for all probabilistic polynomial time ITM B’. Note, that this definition only depends on A and not at all on B.definition only depends on A and not at all on B.

Usually, only computationally zero-knowledge is Usually, only computationally zero-knowledge is consideconsided.d.

2828





ExercisesExercises

2929

Known Facts and Open ProblemsKnown Facts and Open Problems

Every language in NP has a perfect zero knowledge proof Every language in NP has a perfect zero knowledge proof (if one-way permutations exists).(if one-way permutations exists).

Every language in IP has a zero knowledge proof.Every language in IP has a zero knowledge proof.

It’s known that (obvious)It’s known that (obvious)

Goldreich’s belief is thatGoldreich’s belief is that

The relationship of PZK and SZK remains an open problem The relationship of PZK and SZK remains an open problem (with no evidence either way).(with no evidence either way).

BPP PZK SZK CZK IP

BPP PZK SZK CZK = IP

3030





ExercisesExercises

3131

Examples (GI)Examples (GI)

Problem (GI – Graph Isomorphism):Problem (GI – Graph Isomorphism): You have You have two graphs (Gtwo graphs (G00,G,G11), are they isomorphic?), are they isomorphic?

Exercise 0: Exercise 0: Think out zero-knowledge proof for this Think out zero-knowledge proof for this problem. A knows, that Gproblem. A knows, that G00 and G and G11 are are isomorphic (and how its are) and tries to prove isomorphic (and how its are) and tries to prove this fact to B.this fact to B.

1.1. A chooses one graph (GA chooses one graph (G0 0 or Gor G11), and transform it ), and transform it to any another isomorphic one Gto any another isomorphic one G2 2 (anyhow).(anyhow).

2.2. A sends this graph GA sends this graph G22 to B. to B.3.3. B flips a coin, and sends this bit b (0 or 1) to A.B flips a coin, and sends this bit b (0 or 1) to A.4.4. A mustA must show isomorphism show isomorphism of of GG22 and G and Gb b to B, to B,

otherwise B can not accept.otherwise B can not accept.

3232

Examples (GI)Examples (GI)

IIf A cheating, she can’t f A cheating, she can’t show isomorphism show isomorphism of those two graphs with probability ½of those two graphs with probability ½. . But A can cheat with ½ probability also.But A can cheat with ½ probability also.

If B repeats this protocol n times, so A can If B repeats this protocol n times, so A can cheat with probability only cheat with probability only ½½nn=2=2-n -n (at (at most)most)..

B can’t get some additional information B can’t get some additional information from this from this interaction.interaction.

3333





ExercisesExercises

3434

Examples (GNI)Examples (GNI)Problem (GNI - Graph NonIsomorphism):Problem (GNI - Graph NonIsomorphism): You have two You have two

graphs (Ggraphs (G00,G,G11), are they nonisomorphic?), are they nonisomorphic?

1.1. B chooses one graph (GB chooses one graph (G0 0 or Gor G11), and transform it to any ), and transform it to any another isomorphic one Ganother isomorphic one G2 2 (anyway).(anyway).

2.2. B sends this graph GB sends this graph G22 to A. to A.3.3. AA must must say, which graph was chosen by B. say, which graph was chosen by B.

IIf A cheatingf A cheating, so graphs G, so graphs G0 0 and Gand G11 are isomorphic, and she are isomorphic, and she can not say exactly, to which one Gcan not say exactly, to which one G22 is isomorphic. is isomorphic. Probability of being Probability of being caughtcaught is 1-½ is 1-½nn..

B can not get some additional information from this B can not get some additional information from this interaction.interaction.

Are you sureAre you sure in the last point?in the last point?

3535

Examples (GNI)Examples (GNI)

It is not zero-knowledge!It is not zero-knowledge!

The same situation as with QNR The same situation as with QNR earlier.earlier.

3636

Examples (GNI)Examples (GNI)

Problem (GNI - Graph NonIsomorphism):Problem (GNI - Graph NonIsomorphism): You have two You have two graphs (Ggraphs (G00,G,G11), are they nonisomorphic?), are they nonisomorphic?

We must modify verifier B, so that he’ll prove to the prover We must modify verifier B, so that he’ll prove to the prover A, that he (B) knows the answer to his query graph (i.e. he A, that he (B) knows the answer to his query graph (i.e. he knows an isomorphism to the appropriate input graph), and knows an isomorphism to the appropriate input graph), and the prover answers the query only if she is convinced of the prover answers the query only if she is convinced of this claim.this claim.

Of course, that B’s proof must be zero-knowledge.Of course, that B’s proof must be zero-knowledge.

3737





ExercisesExercises

3838


Problem (QNR): Problem (QNR): QNR = { QNR = { ((x,y) | y is quadratic nonresidue x,y) | y is quadratic nonresidue mod x }mod x }. There is no such z, that y = z. There is no such z, that y = z22 mod x. mod x.

BB picks at random integer r and one bit. picks at random integer r and one bit. • if bit=0 then B sets w = rif bit=0 then B sets w = r22 mod x, mod x,• otherwise w = rotherwise w = r22y mod x.y mod x.

B sends w to A.B sends w to A.

For some 1<=j<=m, B picks random integer rFor some 1<=j<=m, B picks random integer r j1j1,r,rj2j2 and and random bitrandom bitjj. B sets . B sets • aajj=r=r22

j1j1 mod x mod x• bbjj=yr=yr22

j2j2 mod x mod x

If bitIf bitjj=1, B sends A the ordered pair (a=1, B sends A the ordered pair (ajj,b,bjj), else (b), else (bjj,a,ajj).).

A sends B an m-long random bit vector i=iA sends B an m-long random bit vector i=i11,i,i22,…,i,…,imm..

3939


B sends A the sequence v=vB sends A the sequence v=v11,v,v22,…,v,…,vmm..• if iif ijj=0 then v=0 then vj j = (r= (rj1j1,r,rj2j2))• if iif ijj=1 then=1 then

if bit=0 then vif bit=0 then vj j = rr= rrj1j1 mod x mod x else velse vj j = yrr= yrrj2j2 mod x. mod x.

The intuition behind this step is as follows: if iThe intuition behind this step is as follows: if ijj=0, then B is =0, then B is convincing A that pair was chosen correctly; if iconvincing A that pair was chosen correctly; if ijj=1 then B =1 then B is convincing that if pair was chosen correctly, then w was is convincing that if pair was chosen correctly, then w was chosen correctly.chosen correctly.

A verifies that the sequence v was properly constructed, If A verifies that the sequence v was properly constructed, If not, A sends terminate to B and halts. Otherwise. A sets not, A sends terminate to B and halts. Otherwise. A sets answer = 0 if w is a quadratic residue mod x and 1 answer = 0 if w is a quadratic residue mod x and 1 otherwise, A sends answer to B.otherwise, A sends answer to B.

4040


B checks whether answer = bit. If so B continues the B checks whether answer = bit. If so B continues the protocol, otherwise B rejects and halts.protocol, otherwise B rejects and halts.

After m repetition of this protocol, if B did not reject thus After m repetition of this protocol, if B did not reject thus far, B accepts and halts.far, B accepts and halts.

Conclusion: So, we force B to prove, that he is not cheating. Conclusion: So, we force B to prove, that he is not cheating. And now he can not obtain any other information from this And now he can not obtain any other information from this protocol (only is y a quadratic nonredisue or not). => It’s a protocol (only is y a quadratic nonredisue or not). => It’s a (statically) zero-knowledge proof.(statically) zero-knowledge proof.

4141

Non-Interactive ZK ProofsNon-Interactive ZK Proofs

General Idea: Using one-way function instead of verifier B.General Idea: Using one-way function instead of verifier B.

A generates n random A generates n random numbersnumbers, and so generate, and so generatess n n different isomorphic different isomorphic ((to to initial)initial) problems problems..

A publish all this new problems.A publish all this new problems.

A uses one-way functions, to generate “random” bit string A uses one-way functions, to generate “random” bit string b from definitions of that new problems, which was b from definitions of that new problems, which was published (it’ll be like B’s random tape).published (it’ll be like B’s random tape).

If bIf bii=0 then A proves isomorphism of initial and i-th new =0 then A proves isomorphism of initial and i-th new problem, otherwise she opens solution of i-th new problem, otherwise she opens solution of i-th new problem. Then A publish this information.problem. Then A publish this information.

Anyone can verify this proof without interaction.Anyone can verify this proof without interaction.

4242





ExercisesExercises

4343

Related papersRelated papers S. Goldwasser, S. Micali, C. Rackoff. “The knowledge S. Goldwasser, S. Micali, C. Rackoff. “The knowledge

complexity of interactive proof systems”, 1989 (1986).complexity of interactive proof systems”, 1989 (1986).

U. Fiege, A. Fiat, A. Shamir. “Zero-Knowledge Proofs of U. Fiege, A. Fiat, A. Shamir. “Zero-Knowledge Proofs of Identity”, 1988.Identity”, 1988.

B. Schneier. “Applied Cryptography”, 1996.B. Schneier. “Applied Cryptography”, 1996.

O. Goldreich. “Foundation of Cryptography”, 2001.O. Goldreich. “Foundation of Cryptography”, 2001.

4444

Thank you!Thank you!

4545

Questions?Questions?

4646





ExercisesExercises

4747

ExercisesExercises

ZK proof for G3C by using a ZK proof for G3C by using a phone/email (you can’t see, what phone/email (you can’t see, what your opponent do, so you can’t your opponent do, so you can’t believe in something sometimes).believe in something sometimes).

4848





ExercisesExercises

4949

Thank you again!Thank you again!

the 29th annual acm-icpc world finals

Documents

random tape

knowledge proof of knowledge

input tape

work tape

interactive turing machine

b verifier

open problemsexamples

machine ba