Presentation is loading. Please wait.

Presentation is loading. Please wait.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic."— Presentation transcript:

1 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic Game Theory Hebrew University May 23, 2011 Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems

2 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Motivation, Applications New Zero Knowledge Proofs Next Steps

3 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Stable Matchings – Hospitals/Residents

4 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Every Resident Ranks Hospitals: Hospitals/Residents - Continued Etc…

5 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop No Pair Hospital-Resident So That: Stable Matching Prefers Over

6 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Stable Matching – The Data H …………. H X 1 ( i ) X L 1 Resident : …………. L Hospital : ………….……. R ………….……. R 1 M y 1 ( j ) y M i j Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.

7 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Secrecy And Correctness Hospitals Do Not Want Residents To Know Their Rankings. Residents Want Their Hospital Rankings Kept Secret. Everybody Wants Assurance Of Correctness Of Announced Matchings. Challenge: Proving Statements Such As: X t ( i ) <, < X s ( i ) y m ( j ) y n While Keeping Values Secret.

8 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Existing Technologies Varieties of Zero-Knowledge Proofs and Arguments: Proving x ∈ L – an NP language Proving circuit satisfiability (at the bit level) Using homomorphic encryption to prove statements about encrypted values The method of obfuscated circuits (A. Yao) Multiparty computations, hiding inputs, intermediate results

9 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Our Approach We work directly with numbers x,y,z ∈ F p, p prime, say p~2 64. No need to go down to the bit/gate level or work with heavy homomorphic encryptions. A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in F p and verification of correctness of results of such computations.

10 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Generalized Straight-Line Computations Let x 1,…,x n be inputs from P 1,…,P n. An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: x L, x L+1 ), etc. x 1, x 2, …, x n, x n+1, …, x L = f L (x 1,…,x n ). x L+1 = f L+1 (x 1,…,x n ), etc. (1) For all m > n, ∃ i, j < m such that x m = x i + x j (mod p), or x m or x m = x i × x j (mod p) or x m = (x i <= x j ). More general computations treatable.

11 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Posting And Proving Correctness of Results The Evaluator Prover (EP) posts the results (outputs): x L = f L (x 1,…,x n ), x L+1 = f L+1 (x 1,…,x n ), etc. The EP posts a ZK Proof of the correctness of the results The proof of correctness is checked by a Verifier VER interacting with the EP

12 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Flow of Proof/Verification EP creates proof Presents Proof to Verifier VER VER challenges: EP EP responds: VER VER checks correctness of responses C 1, C 2, … R 1, R 2, …

13 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Our Magical Solution Values x ∈ {0,1,..,p-1} = Z p, prime p ~ 2 64, +, ×, mod p Random representations: RR(x) = X = (u,v), val(X) = (u+v) mod p = x u R {0,1,…,p-1}, v = (x-u) mod p COM(X) = (COM(u),COM(v)) Evaluator Prover needs to ZKP statements such as val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z), val(X) <= val(Y)

14 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Commitment To Values G is a group, |G| = p. g 1 generator, g 2 = g 1 m, m=log g1 (g 2 ) Assume: Discrete Log Problem for G intractable Given u ϵ F p r [0,p-1] Define: COM(u,r)=g 1 r g 2 u COM is information theoretically hiding; computationally binding. In practice, commitment is made using encryption E(, ) (say 128-bit key AES) COM(u) = E(K, u) Decommit/Open: reveal key K R

15 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proof/Verification of Addition X = (u 1,v 1 ), Y = (u 2,v 2 ), Z = (u 3,v 3 ) Claim: val(X)+val(Y)=val(Z) (3) Posted: (COM(u i ),COM(v i )), 1 ≤ i ≤ 3 (3) True iff ∃ r ∈ F p s.t. X+Y=Z+(r,-r) EP reveals r VER c {1,2}, send to EPsay c=1 EP reveals u 1,u 2,u 3 (or if c=2; v 1, v 2, v 3 ) VER checks u 1 +u 2 =u 3 +r (or v 1 +v 2 =v 3 -r) Prob( (3) false and check succeeds) ≤ 1/2 R

16 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Illustration of the Method Addition –p=17 –x=7, y=7, x+y=z=14 –X=(3,4), Y=(15,9), Z=(8,6) –CLAIM: val(X)+val(Y) = val(Z) 3 4 15 9 8 6 X Y Z 10 -10

17 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Illustration of the Method Addition –p=17 –x=7, y=7, x+y=z=14 –X=(3,4), Y=(15,9), Z=(8,6) Auc posts (10,-10). Verifier: c R {1,2} 3 4 15 9 8 6 X Y Z c=1 10

18 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Sequence of Additions Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc be posted EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc Correctness of sequence of additions can be simultaneously proved/verified as above. If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed. Prob( check succeeds but even one addition false ) ≤ 1/2

19 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Amplification of Confidence EP posts k “Translations” of the proof of sequence of same additions COM(X (i) ), COM(Y (i) ), COM(W (i) ), COM(U (i) ), COM(Z (i) ), etc for 1 <= i <= k where val(X (1) ) = … = val(X (k) ) val(Y (1) ) = … = val(Y (k) ) etc VER creates k independent Challenges c 1,…,c k {1,2} EP reveals all coordinates c i in Translation i Prob( all checks succeed while even one addition false) ≤ 1/2 k R

20 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proof/Verification of Multiplication X = (u 1,v 1 ), Y = (u 2,v 2 ), Z = (u 3,v 3 ) Claim: val(X) × val(Y) = val(Z) (4) Posted: (COM(u i ),COM(v i )), 1 ≤ i ≤ 3 EP creates Z (0) = (u 1 × u 2, v 1 × v 2 ), Z (1) = (u 1 × v 2 + r 1, -r 1 ), Z (2) = (u 2 × v 1 + r 2, -r 2 ) where r 1, r 2 F p Clearly, (4) true iff val(Z) = val(Z (0) ) + val(Z (1) ) + val(Z (2) ) EP posts COM(Z (0) ), COM(Z (1) ), COM(Z (2) ) VER tests correctness of one of the constructions of Z (0), Z (1), Z (2) R

21 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Sequence of Additions & Multiplications A Translation TR of a GSLC will include a number of additions and a number of multiplications VER will randomly decide whether to check correctness of all additions or correctness of all multiplications If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z (0), Z (1), or Z (2) to check for correctness. Same aspect for all multiplications.

22 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Amplification of Confidence Main Theorem: if EP constructs and posts k Translations TR (1),…,TR (k) of a GSLC and if for every TR (i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z (1) with probability 1/4, and correctness of all Z (2) with probability 1/4, then Prob(All checks correct and posted computation results incorrect) < (3/4) k Comment: correctness of structure of all Z (0) is done together with correctness of additions.

23 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving 0 ≤ x ≤ B for B < p/2 B is explicitly given integer. If we prove 0 ≤ x,y ≤ B and 0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y. Let b 2 be a bound on possible bid values. Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b). How do we get rid of the first possibility? Lagrange proved that every integer x = z 1 2 + z 2 2 + z 3 2 + z 4 2. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 2 32, Schorn’s Python implementation computed 60,000 representations in 1 second.

24 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving 0 ≤ x ≤ B for B < p/2 [CS03] proposed using Lagrange in the context of proving range statements for encrypted numbers. We apply Lagrange + [RS86] in our context of GSLCs. Given 0 ≤ x ≤ b 2 < p/32, the EP computes z 1,…,z 4 such that x = z 1 2 + z 2 2 + z 3 2 + z 4 2. Each z i is between 0 and b. The numbers x, z 1, …, x 4 are represented as usual in a translation TR by pairs X, Z 1, …, Z 4. EP incorporates in the GSLC steps for enabling verification that -b ≤ val(Z i ) ≤ 2b and that val(X) = val(Z 1 ) 2 + … + val(Z 4 ) 2. This implies 0 ≤ x ≤ 16b 2 = B. Now 32b 2 < p, i.e. 16b 2 < p/2.

25 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop New Challenge - Solved Proving Announced matching is stable involves statements: X s ( i ) ⌐ [ ( < ) ^ ( < ) ] X t ( i ) y i ( s ) y m Without Revealing TruthValue ( < ), TruthValue ( < ). X s ( i ) X t y i ( s ) y m EP can ZKP for posted COM(x), COM(y), COM(z) that: Val(Z) = 1 Val(x) < Val(y) 0 else

26 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Form of k-Translations Proof P 1, …, P n have submitted to EP values x 1, …. x n Form of proof created by EP: TR (1) = COM(X 1 (1) ), …, COM(X n (1) ),..., (translation of GSLC program) … TR (k) = COM(X 1 (k) ), …, COM(X n (k) ),..., (translation of GSLC program) How can VER ascertain that val(X j (1) ) = … = val(X j (k) ) = x j 1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x 1, …. x n

27 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop P 1 …P n submit Inputs x 1 … x n to EP P i, 1 ≤ i ≤ n, prepares 3k random representations Y 1 (i), …, Y 3k (i) of his value x i. P i submits commitments COM(Y 1 (i) ), …, COM(Y 3k (i) ) to the EP Purpose of multiple representations of value x i to enable EP to prepare multiple Translations of GSLC EP posts all commitments from all P i, 1 ≤ i ≤ n.

28 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Secure Bulletin Board COM(Y 1 (1) ), COM(Y 2 (1) ),…, COM(Y 3k (1) ) COM(Y 1 (2) ), COM(Y 2 (2) ),…, COM(Y 3k (2) ) … COM(Y 1 (n) ), COM(Y 2 (n) ),…, COM(Y 3k (n) )

29 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Creating Additional Input Value Representations Every P i opens (reveals) Y 1 (i), …, Y 3k (i) to EP EP chooses L (say L = 10) EP constructs additional 6kL = m columns COM(X 1 (1) ), COM(X 2 (1) ),…, COM(X m (1) ) COM(X 1 (2) ), COM(X 2 (2) ),…, COM(X m (2) )(5) … COM(X 1 (n) ), COM(X 2 (n) ),…, COM(X m (n) )

30 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving Value Consistency Interactively with VER, EP proves 1)In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent. By definition, the common 2k majority of values in row i is P i ’s input x i. 2)In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix. 3)The interactive proof involves all input representations and 3kL columns of the matrix (5). 4)The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.

31 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Assurance of Proof of Value Consistency Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then: Prob(VER accepts proof) ≤ 1/2 k

32 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Implementing EP by secure processor One possibility for an EP is a secure processor (SP) assumed to accept inputs and post results and proofs of correctness according to the previous protocols. No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness. Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x 1 through randomness employed in construction of a translation. Solution: Use another secure processor RSP – a universal source of randomness.

33 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Experimental Results Comparing 100-bidder secrecy-preserving Vickrey auction using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ 2 128. OperationNewHomomorphic Preparing the proof2 ms804 minutes Downloading the proof40 ms< 30 seconds Verifying the proof2 ms162 minutes

34 May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Entities: E 1, …, E k ; candidates: C 1, …, C m E 1 preference list: C i1, …, C im C 1 preference list: E j1, …, E jk etc. Preference Lists: Secret EP computes stable matching can ZK prove correctness Matching Problems (H. Varian)

Download ppt "May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Complexity and Cryptography

Complexity and Cryptography

Similar presentations

Ads by Google