Zero-Knowledge Proofs Ben Hosp

Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous demonstration that a statement is true or false.

Classical Proof Systems Suppose we have a language of assertions and proofs over some finite alphabet. Let L be the language of true assertions, that is, assertions that have proofs. Let L be the language of true assertions, that is, assertions that have proofs. We can define a classical proof system for L as an algorithm V such that: True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. The Completeness property. False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. The Soundness property For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. The Efficiency property.

Graph Isomorphism G = ([n],E) Perm(G) = ([n], E’) E’ = {(Perm(u), Perm(v)): (u,v) is in E} E’ = {(Perm(u), Perm(v)): (u,v) is in E} If there exists G,H such that Perm(G) = H, then G and H are isomorphic and Perm is an isomorphism between G and H.

Classical Proof System for Graph Isomorphism V(Graph G, Graph H, Permutation p) { if (p(G) == H) { // O(|[n]|) time return 1; // accept the proof; else { return 0; // reject the proof }}

NP A review: NP is the class of problems which can be solved with a nondeterministic-polynomial algorithm. for each i in 1…answer.size G: answer[i] = guess(i); // magically provides the // next bit of the answer // next bit of the answer if (!verify(answer, i)) // checks that answer goto G; // is correct so far in end if // polynomial time end if // polynomial time end for

Classical Proofs are NP So NP is exactly the class of languages with classical proof systems. If we have an assertion, we can verify any proof for it in polynomial time. The problem “Is x is in L” is in NP.

What Is A Proof?

What Do You Learn From A Proof? A lot more than the truth of an assertion. You learn enough to convince others of the truth of that assertion. You learn enough to convince others of the truth of that assertion. The “classical” way to prove “There exists x...” is to provide an example of x. What if you want to prove: What if you want to prove: “There exists x” “I know x” Without telling you x or (ideally) any information about x.

Ali Baba’s Cave There is a magic cave like this: But Ali Baba knows there is a secret door here: Ali Baba knows the cave is a loop, but no one else does.

Ali Baba’s Cave How can Ali Baba prove to you that the magic door exists? Classical proof would give away the secret. Classical proof would give away the secret. But Ali Baba can convince you the door exists by having you watch him go down one tunnel and come out the other. We need a new class of proofs.

Interactive Proofs Interactive proofs are based on the interaction between a prover P with a verifier V. P wants to prove something to the verifier. P wants to prove something to the verifier. An interaction protocol is a pair of functions mapping strings to strings. In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response. In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response.

Probabilistic Proofs Proofs based on interactive protocols are probabilistic. There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. We can define a probalistic proof system for L as an interactive protocol (P,V) such that: For all x in the assertion language (P,V)(x) halts in polynomial time. For all x in the assertion language (P,V)(x) halts in polynomial time. The Efficiency property. If x is in L, then (P,V)(x) accepts with probability at least  If x is in L, then (P,V)(x) accepts with probability at least  The Completeness property. If y is not in L, then (P,V)(x) accepts with probability at most  If y is not in L, then (P,V)(x) accepts with probability at most  The Soundness property Where 1 >=  >  >= 0 Where 1 >=  >  >= 0 We can repeat such a proof multiple times to make the chance of false positive or negative negligible.

IP IP is the class of languages with Interactive (Probabilistic) proofs. NP is a subset of IP P can send V a classical proof to check P can send V a classical proof to check IP is thought to be a strict superset of NP

Graph Non-Isomorphism No classical proof system is known for the question of whether graphs G and H are non-isomorphic. We can check all possible permutations of G but this takes exponential time. We can check all possible permutations of G but this takes exponential time. Observations on this problem: Let ICP(G) be the set of isomorphic copies of the G. Let ICP(G) be the set of isomorphic copies of the G. If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. Because ICP(G) = ICP(H)

Interactive Proof System for Graph Non-Isomorphism Suppose we have G 0 =([n],E 0 ) and G 1 =([n],E 1 ). V randomly selects C = G 0 or G 1, and a permutation p. V sends p(C) to P. P determines whether p(C) is an isomorphic copy of G 0 or G 1, and sends that back to V. If V receives the same graph as it chose, it accepts P’s proof that G 0 and G 1 are non- isomorphic, otherwise it rejects. V has demonstrated the ability to tell the difference between elements of ICP(G 0 ) and ICP(G 1 ). V has demonstrated the ability to tell the difference between elements of ICP(G 0 ) and ICP(G 1 ).

Zero-Knowledge Proofs P is going to prove an assertion to V without giving V any information other than the truth of the assertion. In other words, V can simulate a proof of the assertion and get something that is computationally indistinguishable from a proof V actually got from P. V does not even learn enough to prove the assertion to another party.

NP is a subset of ZP Every language with a classical proof system has a zero-knowledge proof system. Consider the graph 3-coloring problem: G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). A classical proof that a graph has a 3- coloring is such a 3-coloring. How can we prove a 3-coloring exists without revealing any information about it?

Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. V randomly chooses (x,y) in E and sends it to P. P sends C x and C y to V. V rejects if C x = C y and accepts otherwise.

Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. For each vertex v in [n], P encrypts it with a key K v, and sends E Kv (C(v)) to V. V randomly chooses (x,y) in E and sends it to P. P sends K x and K y to V. V rejects if D Kx (E Kx (C(x))=D Ky (E Ky (C(y)), and accepts otherwise.

Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. P randomly chooses p, a permutation of {R,G,B}. Clearly p(C) = C’ is also a 3-coloring of G. For each vertex v in [n], P encrypts it with a key K v, and sends E Kv (C’(v)) to V. V randomly chooses (x,y) in E and sends it to P. P sends K x and K y to V. V rejects if D Kx (E Kx (C’(x))=D Ky (E Ky (C’(y)), and accepts otherwise.

Zero-Knowledge Proof System for Graph 3-coloring Since p(C)=C’ is a proper 3-coloring of G, C’(x) will never equal C’(y) if x and y are adjacent. If C is not a proper 3-coloring of G, C’(x) will sometimes equal C’(y) when x and y are adjacent. We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. V has learned whether a 3-coloring of G exists, but nothing about it. The only information V has received from P is 2 distinct colors. The only information V has received from P is 2 distinct colors. V could have generated that information on its own. V could have generated that information on its own.