zero knowledge proofs. interactive proof an interactive proof system for a language l is a two-party...

Zero Knowledge Proofs

Interactive proof An Interactive Proof System for a language L is a two-party

game between a verifier and a prover that interact on a common input in a way satisfying the following properties:

Interactive proof The verifier’s strategy is a probabilistic polynomial-time

procedure. Correctness requirements:

• Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3.

• Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.

Zero Knowledge ProofLet (P,V) be an interactive proof system for some

language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds

{<P,V*>(x)}xL {M*(x)}xL

Machine M* is called the simulator for the interaction of V* with P.

Perfect Zero Knowledge

Definition: Let (P,V) be an interactive proof system for some language

L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xL and {M*(x)}xL are identical, i.e.,

{<P,V*>(x)}xL {M*(x)}xL

Statistical Zero KnowledgeDefinition:Let (P,V) be an interactive proof system for some

language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are statistically close.

Statistical Zero Knowledge

Definition-cont.:

The distribution ensembles {Ax}xL and {Bx}xL

are statistically close or have negligible variation distance if for every polynomial p(•) there exits integer N such that for every xL with |x| N holds:

|Pr [Ax = ] – Pr [Bx = ]| p(|x|)-1

Computational Zero Knowledge

Definition:

Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL are computationally indistinguishable.

Computational Zero KnowledgeDefinition:

Two ensembles {Ax}xL and {Bx}xL arecomputationally indistinguishable if forevery probabilistic polynomial timedistinguisher D and for every polynomial p(•)there exists an integer N such that for everyxL with |x| N holds

|Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]| p(|x|)-1

Graph Isomorphism problem

Definition

Graph Isomorphism two graphs G0 =(V0,E0) and G1 =(V1, G1) are isomorphic permutation

s.t

(u,v) E0 ( (u), (v)) E1

if G0 and G1 are isomorphic and is an isomorphism between G0 to G1 we write G1 = (G0) .

Graph Isomorphism problem

Graph Isomorphism problem: Given Two Graphs G1 and G2 – Are They Isomorphic ?

Lemma: GI ZK

Proof: Zero Knowledge Interactive Proof for GI.

Zero Knowledge Interactive proof for Graph Isomorphism1. Repeat the following n times:

2. The Prover chooses a random permutation of (1…n) and computes H= (G1) and send it to the verifier.

3. The verifier chooses randomly i=1 or 2 and sends it to the prover.

Zero Knowledge Interactive proof for Graph Isomorphism-cont.4. The prover chooses permutation s.t H = (Gi).

If i=1 the prover sends to the verifier otherwise the prover will send -1 .( is the isomorphism between G1 and G2.

5. The verifier checks if H is the image of Gi under .

6. The verifier accepts if H is the image of Gi in all n rounds.

Zero Knowledge Interactive proof for Graph Isomorphism-cont. Prover Verifier

H= (G1)

i=1,2

or -1 Checks if H is the

image of Gi

R

Building simulator M* for graph isomorphism problem

We will define simulator M* as follows:

Input:(G0, G1) ISO

1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*.

2. Randomly chooses a {0,1} and permutation and construct H= (Ga) send H to V* .

Building simulator M* for graph isomorphism problem

3. Receive b from V* .

If b {0,1} then outputs {RANDOM,H,b} and STOP.

If a =b then outputs {RANDOM,H,b, } and

STOP;else GOTO 1 .

Zero-Knowledge Password Proofs

1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier

2. r is a random number belongs to [n, n4]. The prover sends x2 modn and r2 modn to the verifier.

3. The verifier then randomly asks for r or xr and checks the prover.

Zero-Knowledge Password Proofs

Prover Verifier

n=pq

x2 modn

r2 modnAsks for xr or r

xr or r

Checks the Prover

NP and Zero Knowledge proofs

Lemma: NPZK

Proof: 3colZK .

Zero Knowledge proof for 3col problem

1. The prover randomly chooses a permutation . Computes (c(v)), puts in envelopes and sends to the verifier.

2. The verifier chooses randomly:

(u,v) E and opens the envelope.

If the colors are different and legal he answers “yes”.

Zero Knowledge proof for 3col problem

Prover Verifier

permutation . (c(v))

Chooses (u,v) E

envelope Checks that colors are different

ZK protocol for Co-SAT

Transform the CNF to a polynom by these transformation rules:

1. T positive value

2. F 0

3. Xi Xi

3. Xi (1-Xi)

4. OR +

5. AND •


The protocol:

1. The prover selects a prime number q > 2n • 3m and sends to the verifier.

2. The verifier checks that q is prime. If q isn’t prime halts and rejects.


3. V0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom Pi that it’s rank is at most m .

The construction of Pi :

P1(x)= xn =0,1…. xn=0,1 p(x1 … xn)

P2(x)= xn =0,1…. xn=0,1 p(r1,x, x3 … xn)

Pn(x)= p(r1,... Rn-1, xn ) the prover puts polynom Pi in envelopes and send to the verifier.


4. The prover moves to the next stage(i=i+1).

5. We know that the verifier will accept

if r1… ri … rn s.t Pi(0) + Pi(1)= vi -1modq.

Since checking each assignment is polynomial this problem is in NP .

We can now do a reduction from any NP problem to 3col ZK .

ZK protocol for Graph non isomorphism

Definition

Graph non Isomorphism given two graphs G0 =(V0,E0) and G1 =(V1, G1) .

(G0, G1 )GNI

there is no permutation s.t (u,v) E0 ( (u), (v)) E1

ZK protocol for Graph non isomorphism1. The verifier chooses randomly a number i (0,1) .

The verifier chooses a random permutation and computes H = (Gi). Then the verifier chooses randomly j (0,1) . The verifier creates the pair of graphs (H0, H1) such that:

if j=0:

H0 is a permutation of G0



if j=1:


H1 is apermutation of G0

the verifier sends H and the pair (H0, H1).


2. The prover chooses randomly

b (0,1) . The prover sends b to the verifier .

If b=0 then the verifier sends the prover the isomorphism between (G0, G1) and (H0, H1).

If b=1 the verifier sends the prover the isomorphism between H and (H0, H1) .


3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that Gb is isomorphic to H and sends b to V . If there is no such b , the prover sends a random b.

4. The verifier accepts if j=b.


Prover Verifier

1.Isomorphism between (G0, G1) and (H0, H1). OR 2.Isomorphism between (H0, H1) and H.

Check isomorphism computes b

checks that j=b

1. i (0,1)

2.H = (Gi)

3. H and the pair (H0, H1)


Lemma: GNI PZK

Proof : building M* s.t {<P,V*>(x)}xL {M*(x)}xL

1. The machine M* takes random string of bits and puts ot on a Random tape.


Mv* does the following n times:

2. Mv* waits to get H and the pair (H0, H1) from V* .

3. Mv* chooses a random b .

4. Mv* gets from V* the isomorphism between H and (H0, H1) and (G0, G1). Mv* checks if it is not the right isomorphism it stops.

Otherwise:1. Returns V* to the point after H and

(H0, H1) were received.

2. choose b’ again and sends to V*

3. Waits to get I’ from V*

I’- isomorphism received from V*.


If b’b then the Mv* finds isomorphism from I and I’, from G0,G1 to (H0, H1) and from (H0, H1) to H. The machine uses this information to find Isomorphism from H to G0 , G1.

4. The machine Mv* uses this information to compute V* and sends it to V*.


zero knowledge proofs. interactive proof an interactive proof system for a language l is a two-party...

Documents

pr b x

common input x

polynomial p

knowledge interactive

prover p

interaction of v

interactive proof system

prover strategy p