# The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

## Presentation on theme: "The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University."— Presentation transcript:

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University

A Successful Marriage Complexity Theory: Which problems are “computationally hard” to solve? Cryptography: Design protocols that are “computationally hard” to break. hard problems, techniques revisit notions, adversarial view

Two Areas of Interaction Pseudorandomness: generating objects that “look random” despite being constructed with little or no randomness. –Cryptography: many unpredictable bits from short key –Complexity: power of randomized algs (RP vs. P, RL vs. L) Zero-knowledge proofs: interactive proofs that reveal nothing other than validity of assertion being proven –Cryptography: central in study of crypto protocols –Complexity: augments NP \$ “efficiently verifiable proofs”

This Talk Complexity-theoretic study of zero-knowledge proofs: Characterize the expressiveness of ZK. Prove general theorems about ZK. Minimize or eliminate complexity assumptions.

YESNO Promise Problem excluded inputs Promise Problems [ESY84] P = {  : can decide if x 2  Y or x 2  N in poly(|x|) time} = “feasible problems” YESNO Language

3-C OLORING Given: a map M Decide: can it be colored w/3 colors s.t. no two adjacent countries have the same color? Formally:  Y = { maps M : M is 3-colorable}  N = { maps M : M is not 3-colorable} Fastest known algorithm: 2 O(n) http://www.ctl.ua.edu/math103/

3-C OLORING Given: a graph G Decide: can it be colored w/3 colors s.t. no two adjacent vertices have the same color? Formally:  Y = { graphs G : G is 3-colorable}  N = { graphs G : G is not 3-colorable} Fastest known algorithm: 2 O(n)

NP Proof Systems Def: An NP proof system for  is an algorithm V s.t. –Completeness: x 2  Y ) 9  V(x,  )=accept –Soundness: x 2  N ) 8  * V(x,   )=reject –Efficiency: V(x,  ) runs in time poly(|x|). Example: 3-coloring –V(G,  ) = accept iff  is a valid 3-coloring of G

NP Proofs Def: An NP proof system for  is an algorithm V s.t. –Completeness: x 2  Y ) 9  V(x,  )=accept –Soundness: x 2  N ) 8  * V(x,   )=reject –Efficiency: V(x,  ) runs in time poly(|x|). The P=NP Question –Do mathematical proofs ever save time? –Is exhaustive search ever necessary? NP-completeness [C71,K72,L73] –every NP problem can be reduced to 3-coloring. Q: What does one learn from a proof? ?

Zero-Knowledge Proofs [GMR85] Efficiency: V runs in time poly(|x|). Completeness: x 2  Y ) Pr[V accepts] ¸ 2/3 Soundness: x 2  N ) 8 P  Pr[V accepts] · 1/3 Zero Knowledge: x 2  Y ) 8 V * V * “learns nothing” else poly-time Verifier V unbounded Prover P x accept/reject m1m1 m2m2 m3m3 m4m4 “security” conditions

Zero-Knowledge Proofs [GMR85] Flavors –Statistical: security vs. computationally unbounded P *,V * –Computational: security vs. poly-time P *,V * Cryptographic Protocols –Encryption, digital signatures, privacy-preserving datamining, electronic voting,… –Testbed for composability, concurrency, … Complexity Theory – SZK = {  2 NP :  has a statistical ZK proof} – ZK = {  2 NP :  has a computational ZK proof}

3-C OLORING 2 ZK [GMW86] unbounded Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6 3-C OLORING 2 ZK [GMW86] unbounded Prover

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. (Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1 3-C OLORING 2 ZK [GMW86] unbounded Prover

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Soundness: graph not 3-colorable ) 8 P * V rejects w.p. ¸ 1/(#edges) 3-C OLORING 2 ZK [GMW86] unbounded Prover

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover 3-C OLORING 2 ZK [GMW86] unbounded Prover

How to implement boxes? Bit commitment: Hiding: Com(  ) & Com(  ) indistinguishable. ( ) zero knowledge) Binding: W.h.p. z can be opened to only one value  2 {0,1}.  )  soundness  Receiver Sender commit stage: reveal stage: ( ,K)  z K accept/ reject

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) 3-C OLORING 2 ZK [GMW86] unbounded Prover

poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) NP µ ZK [GMW86] x unbounded Prover

Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes x f(x) easy hard

Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes p,q p£qp£q easy hard

Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes minimal but stronger than P  NP

General Results on ZK ZK = NP. ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union … Thm [GMW86,HILL90,Nao91]: Q: What can we prove about ZK unconditionally? Assuming one-way functions exist...

Unconditional Results on SZK SZK contains Q UADRATIC R ESIDUOSITY [GMR85], G RAPH I SOMORPHISM [GMW86],... SZK=SZK w/perfect completeness [O96] SZK closed under complement, union [O96] Complete Problems [SV97,GV99] SZK=honest-verifier SZK [GSV98] SZK=SZK w/poly-time prover [NV06] … But more constrained: SZK µ coAM [F86,AH87] ) unlikely to contain NP. Thms:

Unconditional Results on ZK New characterizations of ZK ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union ZK Å coNP closed under complement... Thm [V04,NV06,OV06]: Assuming one-way functions exist...

How to get unconditional results on ZK? Thm [OW93]: If ZK  RP, then a “weak form” of one-way functions exist. Idea: Case analysis. –Case I: ZK=RP. Everything trivial. –Case II: ZK  RP. Use above OWF in conditional results. Problem: “Weak form” of OWF not enough (cf. [DOY97]) Our approach: –replace RP by SZK –case analysis on input-by-input basis –combine OWF-based results w/unconditional results on SZK

The SZK/OWF C ONDITION Def:  satisfies the SZK/OWF C ONDITION if 9 I µ  Y, J µ  N, 9 poly-time { f x (y)} x 2 {0,1} * s.t. 1.Ignoring I and J,  is in SZK. 2.When x 2 I [ J, f x is hard to invert. Y N  I in SZK instances yield OWF Note: 9 OWF ) every problem satisfies above. J Y N y f x (y) easy hard

ZK Characterization Theorem Thm [V04,OV06]:  2 ZK m  2 NP and  satisfies SZK/OWF C ONDITION Y N  I in SZK instances yield OWF J Y N Moreover: ZK statistical, I = ; soundness statistical, J = ; “Zero Knowledge & Soundness are Symmetric”

Proof of the Characterization Thms  2 honest-verifier ZK even w/inefficient prover  satisfies SZK/OWF C ONDITION.  2 ZK w/perfect completeness, poly-time prover,… +  2 NP

From SZK/OWF to ZK Idea: Use SZK proof when x  I [ J, use NP proof system when x 2 I [ J (with f x as OWF) Problem: cannot efficiently decide whether x 2 I [ J. Thm:  satisfies SZK/OWF C ONDITION and  2 NP, )  2 ZK w/perfect completeness, poly-time prover,... Y N I J SZK OWF

Sol’n: Instance-dependent Commitments Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t. –x 2  Y ) hiding –x 2  N ) binding Example [BMO90]: G RAPH I SOMORPHISM –aux. input = (G 0,G 1 ) –commitment to  = random isomorphic copy of G  –perfectly hiding and perfectly binding! H B

Usefulness of I.D. Commitments –x 2  Y ) hiding –x 2  N ) binding Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness). Lemma [IOS94,MV03]:  2 NP and  has instance-dependent commitments )  2 ZK w/perfect completeness, poly-time prover, … H B

Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com x ( )…Com x ( ) (,K 1 ),(,K 4 ) From SZK/OWF to ZK x

I.D. Commitments from SZK/OWF H B H B SZK has stat. hiding, stat. 1-out-of-2-binding i.d. commitments [NV06] OWF ) comp. hiding, stat. binding commitments [HILL90,N91] OWF ) stat. hiding, comp. 1-out-of-2-binding commitments [NOV06] Com SZK Com I Com J SZK/OWF C ONDITION ) comp. hiding comp. 1-out-of-2-binding i.d. commitments Com SZK (b © r), Com I (r), Com J (b) H B B H

Conclusions ZK continues to be an lively interface between cryptography and complexity theory. SZK/OWF Characterizations of ZK ) unconditional results Variations on commitments –Instance-dependent commitments –1-out-of-2-binding commitments Happy Thanksgiving!

Extra slides

Computational Complexity Theory Arithmetic on n-bit numbers: –Addition: time O(n) –Multiplying: time O(n 2 ) –Factoring: time ~2 n/2 Computational problems: –Network Flows, Finding Nash Equilibria, Decoding Error- Correcting Codes, Partition Function of Ising Model, Protein Folding, Proof Verification, … Resources: –Space (memory), randomness, parallelism, interaction, quantum mechanics, … “What problems can and cannot be solved with limited computational resources?” O(n lg n lglg n) [SS71] ~2 O(n 1/3 ) [BLP94] easy (poly-time) hard?

Goals of Complexity Theory Lower Bounds –Prove that there are no efficient algorithms to solve certain problems. –Success only for limited models of computation –P  NP seems far out of reach. Establish Relationships –Between problems, e.g. NP-completeness [C71,K72,L73] –Between resources, e.g. Hardness vs. Randomness [BM82,Y82,NW88]: intractable problems  derandomization (take CS225!)

Modern Cryptography Protocols for secure communication & computation in the face of adversarial behavior. –Encryption, digital signatures, SSL, e-voting, … Goal: “breaking” scheme computationally intractable –Information-theoretic security usually impossible [Sha49] Based on complexity theory [DH76,RSA78,Rab79]

Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs.

p£qp£q Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs. Goal: use assumptions that are as weak & general as possible. Ex: one-way functions easy hard Conjectures p,q

1-out-of-2-Binding Commitments Sender Receiver commit 1 : reveal 1 : (  ,K 1 )  K1K1 z1z1 commit 2 : reveal 2 : (  ,K 2 )  K2K2 z1z1 Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness

1-out-of-2-binding Commitments ) ZK for NP Prover Verifier Commit 1 (coloring) Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness Edge Reveal 1 Commit 2 (coloring) Edge Reveal 2 Intuitive idea: Run 3-coloring protocol twice