Download presentation

Presentation is loading. Please wait.

Published byMakenna Hadwin Modified about 1 year ago

1
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University

2
A Successful Marriage Complexity Theory: Which problems are “computationally hard” to solve? Cryptography: Design protocols that are “computationally hard” to break. hard problems, techniques revisit notions, adversarial view

3
Two Areas of Interaction Pseudorandomness: generating objects that “look random” despite being constructed with little or no randomness. –Cryptography: many unpredictable bits from short key –Complexity: power of randomized algs (RP vs. P, RL vs. L) Zero-knowledge proofs: interactive proofs that reveal nothing other than validity of assertion being proven –Cryptography: central in study of crypto protocols –Complexity: augments NP $ “efficiently verifiable proofs”

4
This Talk Complexity-theoretic study of zero-knowledge proofs: Characterize the expressiveness of ZK. Prove general theorems about ZK. Minimize or eliminate complexity assumptions.

5
YESNO Promise Problem excluded inputs Promise Problems [ESY84] P = { : can decide if x 2 Y or x 2 N in poly(|x|) time} = “feasible problems” YESNO Language

6
3-C OLORING Given: a map M Decide: can it be colored w/3 colors s.t. no two adjacent countries have the same color? Formally: Y = { maps M : M is 3-colorable} N = { maps M : M is not 3-colorable} Fastest known algorithm: 2 O(n) http://www.ctl.ua.edu/math103/

7
3-C OLORING Given: a graph G Decide: can it be colored w/3 colors s.t. no two adjacent vertices have the same color? Formally: Y = { graphs G : G is 3-colorable} N = { graphs G : G is not 3-colorable} Fastest known algorithm: 2 O(n)

8
NP Proof Systems Def: An NP proof system for is an algorithm V s.t. –Completeness: x 2 Y ) 9 V(x, )=accept –Soundness: x 2 N ) 8 * V(x, )=reject –Efficiency: V(x, ) runs in time poly(|x|). Example: 3-coloring –V(G, ) = accept iff is a valid 3-coloring of G

9
NP Proofs Def: An NP proof system for is an algorithm V s.t. –Completeness: x 2 Y ) 9 V(x, )=accept –Soundness: x 2 N ) 8 * V(x, )=reject –Efficiency: V(x, ) runs in time poly(|x|). The P=NP Question –Do mathematical proofs ever save time? –Is exhaustive search ever necessary? NP-completeness [C71,K72,L73] –every NP problem can be reduced to 3-coloring. Q: What does one learn from a proof? ?

10
Zero-Knowledge Proofs [GMR85] Efficiency: V runs in time poly(|x|). Completeness: x 2 Y ) Pr[V accepts] ¸ 2/3 Soundness: x 2 N ) 8 P Pr[V accepts] · 1/3 Zero Knowledge: x 2 Y ) 8 V * V * “learns nothing” else poly-time Verifier V unbounded Prover P x accept/reject m1m1 m2m2 m3m3 m4m4 “security” conditions

11
Zero-Knowledge Proofs [GMR85] Flavors –Statistical: security vs. computationally unbounded P *,V * –Computational: security vs. poly-time P *,V * Cryptographic Protocols –Encryption, digital signatures, privacy-preserving datamining, electronic voting,… –Testbed for composability, concurrency, … Complexity Theory – SZK = { 2 NP : has a statistical ZK proof} – ZK = { 2 NP : has a computational ZK proof}

12
3-C OLORING 2 ZK [GMW86] unbounded Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6

13
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6 3-C OLORING 2 ZK [GMW86] unbounded Prover

14
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. (Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1 3-C OLORING 2 ZK [GMW86] unbounded Prover

15
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Soundness: graph not 3-colorable ) 8 P * V rejects w.p. ¸ 1/(#edges) 3-C OLORING 2 ZK [GMW86] unbounded Prover

16
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover 3-C OLORING 2 ZK [GMW86] unbounded Prover

17
How to implement boxes? Bit commitment: Hiding: Com( ) & Com( ) indistinguishable. ( ) zero knowledge) Binding: W.h.p. z can be opened to only one value 2 {0,1}. ) soundness Receiver Sender commit stage: reveal stage: ( ,K) z K accept/ reject

18
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) 3-C OLORING 2 ZK [GMW86] unbounded Prover

19
poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) NP µ ZK [GMW86] x unbounded Prover

20
Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes x f(x) easy hard

21
Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes p,q p£qp£q easy hard

22
Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes minimal but stronger than P NP

23
General Results on ZK ZK = NP. ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union … Thm [GMW86,HILL90,Nao91]: Q: What can we prove about ZK unconditionally? Assuming one-way functions exist...

24
Unconditional Results on SZK SZK contains Q UADRATIC R ESIDUOSITY [GMR85], G RAPH I SOMORPHISM [GMW86],... SZK=SZK w/perfect completeness [O96] SZK closed under complement, union [O96] Complete Problems [SV97,GV99] SZK=honest-verifier SZK [GSV98] SZK=SZK w/poly-time prover [NV06] … But more constrained: SZK µ coAM [F86,AH87] ) unlikely to contain NP. Thms:

25
Unconditional Results on ZK New characterizations of ZK ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union ZK Å coNP closed under complement... Thm [V04,NV06,OV06]: Assuming one-way functions exist...

26
How to get unconditional results on ZK? Thm [OW93]: If ZK RP, then a “weak form” of one-way functions exist. Idea: Case analysis. –Case I: ZK=RP. Everything trivial. –Case II: ZK RP. Use above OWF in conditional results. Problem: “Weak form” of OWF not enough (cf. [DOY97]) Our approach: –replace RP by SZK –case analysis on input-by-input basis –combine OWF-based results w/unconditional results on SZK

27
The SZK/OWF C ONDITION Def: satisfies the SZK/OWF C ONDITION if 9 I µ Y, J µ N, 9 poly-time { f x (y)} x 2 {0,1} * s.t. 1.Ignoring I and J, is in SZK. 2.When x 2 I [ J, f x is hard to invert. Y N I in SZK instances yield OWF Note: 9 OWF ) every problem satisfies above. J Y N y f x (y) easy hard

28
ZK Characterization Theorem Thm [V04,OV06]: 2 ZK m 2 NP and satisfies SZK/OWF C ONDITION Y N I in SZK instances yield OWF J Y N Moreover: ZK statistical, I = ; soundness statistical, J = ; “Zero Knowledge & Soundness are Symmetric”

29
Proof of the Characterization Thms 2 honest-verifier ZK even w/inefficient prover satisfies SZK/OWF C ONDITION. 2 ZK w/perfect completeness, poly-time prover,… + 2 NP

30
From SZK/OWF to ZK Idea: Use SZK proof when x I [ J, use NP proof system when x 2 I [ J (with f x as OWF) Problem: cannot efficiently decide whether x 2 I [ J. Thm: satisfies SZK/OWF C ONDITION and 2 NP, ) 2 ZK w/perfect completeness, poly-time prover,... Y N I J SZK OWF

31
Sol’n: Instance-dependent Commitments Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t. –x 2 Y ) hiding –x 2 N ) binding Example [BMO90]: G RAPH I SOMORPHISM –aux. input = (G 0,G 1 ) –commitment to = random isomorphic copy of G –perfectly hiding and perfectly binding! H B

32
Usefulness of I.D. Commitments –x 2 Y ) hiding –x 2 N ) binding Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness). Lemma [IOS94,MV03]: 2 NP and has instance-dependent commitments ) 2 ZK w/perfect completeness, poly-time prover, … H B

33
Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com x ( )…Com x ( ) (,K 1 ),(,K 4 ) From SZK/OWF to ZK x

34
I.D. Commitments from SZK/OWF H B H B SZK has stat. hiding, stat. 1-out-of-2-binding i.d. commitments [NV06] OWF ) comp. hiding, stat. binding commitments [HILL90,N91] OWF ) stat. hiding, comp. 1-out-of-2-binding commitments [NOV06] Com SZK Com I Com J SZK/OWF C ONDITION ) comp. hiding comp. 1-out-of-2-binding i.d. commitments Com SZK (b © r), Com I (r), Com J (b) H B B H

35
Conclusions ZK continues to be an lively interface between cryptography and complexity theory. SZK/OWF Characterizations of ZK ) unconditional results Variations on commitments –Instance-dependent commitments –1-out-of-2-binding commitments Happy Thanksgiving!

36
Extra slides

37
Computational Complexity Theory Arithmetic on n-bit numbers: –Addition: time O(n) –Multiplying: time O(n 2 ) –Factoring: time ~2 n/2 Computational problems: –Network Flows, Finding Nash Equilibria, Decoding Error- Correcting Codes, Partition Function of Ising Model, Protein Folding, Proof Verification, … Resources: –Space (memory), randomness, parallelism, interaction, quantum mechanics, … “What problems can and cannot be solved with limited computational resources?” O(n lg n lglg n) [SS71] ~2 O(n 1/3 ) [BLP94] easy (poly-time) hard?

38
Goals of Complexity Theory Lower Bounds –Prove that there are no efficient algorithms to solve certain problems. –Success only for limited models of computation –P NP seems far out of reach. Establish Relationships –Between problems, e.g. NP-completeness [C71,K72,L73] –Between resources, e.g. Hardness vs. Randomness [BM82,Y82,NW88]: intractable problems derandomization (take CS225!)

39
Modern Cryptography Protocols for secure communication & computation in the face of adversarial behavior. –Encryption, digital signatures, SSL, e-voting, … Goal: “breaking” scheme computationally intractable –Information-theoretic security usually impossible [Sha49] Based on complexity theory [DH76,RSA78,Rab79]

40
Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs.

41
p£qp£q Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs. Goal: use assumptions that are as weak & general as possible. Ex: one-way functions easy hard Conjectures p,q

42
1-out-of-2-Binding Commitments Sender Receiver commit 1 : reveal 1 : ( ,K 1 ) K1K1 z1z1 commit 2 : reveal 2 : ( ,K 2 ) K2K2 z1z1 Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness

43
1-out-of-2-binding Commitments ) ZK for NP Prover Verifier Commit 1 (coloring) Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness Edge Reveal 1 Commit 2 (coloring) Edge Reveal 2 Intuitive idea: Run 3-coloring protocol twice

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google