May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic Game Theory Hebrew University May 23, 2011 Practical Zero Knowledge Proofs Applied To Proving Correctness Of Stable Matching Problems

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Motivation, Applications New Zero Knowledge Proofs Next Steps

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Stable Matchings – Hospitals/Residents

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Every Resident Ranks Hospitals: Hospitals/Residents - Continued Etc…

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop No Pair Hospital-Resident So That: Stable Matching Prefers Over

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Stable Matching – The Data H …………. H X 1 ( i ) X L 1 Resident : …………. L Hospital : ………….……. R ………….……. R 1 M y 1 ( j ) y M i j Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Secrecy And Correctness Hospitals Do Not Want Residents To Know Their Rankings. Residents Want Their Hospital Rankings Kept Secret. Everybody Wants Assurance Of Correctness Of Announced Matchings. Challenge: Proving Statements Such As: X t ( i ) <, < X s ( i ) y m ( j ) y n While Keeping Values Secret.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Existing Technologies Varieties of Zero-Knowledge Proofs and Arguments: Proving x ∈ L – an NP language Proving circuit satisfiability (at the bit level) Using homomorphic encryption to prove statements about encrypted values The method of obfuscated circuits (A. Yao) Multiparty computations, hiding inputs, intermediate results

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Our Approach We work directly with numbers x,y,z ∈ F p, p prime, say p~2 64. No need to go down to the bit/gate level or work with heavy homomorphic encryptions. A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in F p and verification of correctness of results of such computations.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Generalized Straight-Line Computations Let x 1,…,x n be inputs from P 1,…,P n. An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: x L, x L+1 ), etc. x 1, x 2, …, x n, x n+1, …, x L = f L (x 1,…,x n ). x L+1 = f L+1 (x 1,…,x n ), etc. (1) For all m > n, ∃ i, j < m such that x m = x i + x j (mod p), or x m or x m = x i × x j (mod p) or x m = (x i <= x j ). More general computations treatable.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Posting And Proving Correctness of Results The Evaluator Prover (EP) posts the results (outputs): x L = f L (x 1,…,x n ), x L+1 = f L+1 (x 1,…,x n ), etc. The EP posts a ZK Proof of the correctness of the results The proof of correctness is checked by a Verifier VER interacting with the EP

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Flow of Proof/Verification EP creates proof Presents Proof to Verifier VER VER challenges: EP EP responds: VER VER checks correctness of responses C 1, C 2, … R 1, R 2, …

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Our Magical Solution Values x ∈ {0,1,..,p-1} = Z p, prime p ~ 2 64, +, ×, mod p Random representations: RR(x) = X = (u,v), val(X) = (u+v) mod p = x u R {0,1,…,p-1}, v = (x-u) mod p COM(X) = (COM(u),COM(v)) Evaluator Prover needs to ZKP statements such as val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z), val(X) <= val(Y)

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Commitment To Values G is a group, |G| = p. g 1 generator, g 2 = g 1 m, m=log g1 (g 2 ) Assume: Discrete Log Problem for G intractable Given u ϵ F p r [0,p-1] Define: COM(u,r)=g 1 r g 2 u COM is information theoretically hiding; computationally binding. In practice, commitment is made using encryption E(, ) (say 128-bit key AES) COM(u) = E(K, u) Decommit/Open: reveal key K R

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proof/Verification of Addition X = (u 1,v 1 ), Y = (u 2,v 2 ), Z = (u 3,v 3 ) Claim: val(X)+val(Y)=val(Z) (3) Posted: (COM(u i ),COM(v i )), 1 ≤ i ≤ 3 (3) True iff ∃ r ∈ F p s.t. X+Y=Z+(r,-r) EP reveals r VER c {1,2}, send to EPsay c=1 EP reveals u 1,u 2,u 3 (or if c=2; v 1, v 2, v 3 ) VER checks u 1 +u 2 =u 3 +r (or v 1 +v 2 =v 3 -r) Prob( (3) false and check succeeds) ≤ 1/2 R

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Illustration of the Method Addition –p=17 –x=7, y=7, x+y=z=14 –X=(3,4), Y=(15,9), Z=(8,6) –CLAIM: val(X)+val(Y) = val(Z) X Y Z

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Illustration of the Method Addition –p=17 –x=7, y=7, x+y=z=14 –X=(3,4), Y=(15,9), Z=(8,6) Auc posts (10,-10). Verifier: c R {1,2} X Y Z c=1 10

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Sequence of Additions Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc be posted EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc Correctness of sequence of additions can be simultaneously proved/verified as above. If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed. Prob( check succeeds but even one addition false ) ≤ 1/2

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Amplification of Confidence EP posts k “Translations” of the proof of sequence of same additions COM(X (i) ), COM(Y (i) ), COM(W (i) ), COM(U (i) ), COM(Z (i) ), etc for 1 <= i <= k where val(X (1) ) = … = val(X (k) ) val(Y (1) ) = … = val(Y (k) ) etc VER creates k independent Challenges c 1,…,c k {1,2} EP reveals all coordinates c i in Translation i Prob( all checks succeed while even one addition false) ≤ 1/2 k R

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proof/Verification of Multiplication X = (u 1,v 1 ), Y = (u 2,v 2 ), Z = (u 3,v 3 ) Claim: val(X) × val(Y) = val(Z) (4) Posted: (COM(u i ),COM(v i )), 1 ≤ i ≤ 3 EP creates Z (0) = (u 1 × u 2, v 1 × v 2 ), Z (1) = (u 1 × v 2 + r 1, -r 1 ), Z (2) = (u 2 × v 1 + r 2, -r 2 ) where r 1, r 2 F p Clearly, (4) true iff val(Z) = val(Z (0) ) + val(Z (1) ) + val(Z (2) ) EP posts COM(Z (0) ), COM(Z (1) ), COM(Z (2) ) VER tests correctness of one of the constructions of Z (0), Z (1), Z (2) R

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Sequence of Additions & Multiplications A Translation TR of a GSLC will include a number of additions and a number of multiplications VER will randomly decide whether to check correctness of all additions or correctness of all multiplications If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z (0), Z (1), or Z (2) to check for correctness. Same aspect for all multiplications.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Amplification of Confidence Main Theorem: if EP constructs and posts k Translations TR (1),…,TR (k) of a GSLC and if for every TR (i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z (1) with probability 1/4, and correctness of all Z (2) with probability 1/4, then Prob(All checks correct and posted computation results incorrect) < (3/4) k Comment: correctness of structure of all Z (0) is done together with correctness of additions.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving 0 ≤ x ≤ B for B < p/2 B is explicitly given integer. If we prove 0 ≤ x,y ≤ B and 0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y. Let b 2 be a bound on possible bid values. Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b). How do we get rid of the first possibility? Lagrange proved that every integer x = z z z z 4 2. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 2 32, Schorn’s Python implementation computed 60,000 representations in 1 second.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving 0 ≤ x ≤ B for B < p/2 [CS03] proposed using Lagrange in the context of proving range statements for encrypted numbers. We apply Lagrange + [RS86] in our context of GSLCs. Given 0 ≤ x ≤ b 2 < p/32, the EP computes z 1,…,z 4 such that x = z z z z 4 2. Each z i is between 0 and b. The numbers x, z 1, …, x 4 are represented as usual in a translation TR by pairs X, Z 1, …, Z 4. EP incorporates in the GSLC steps for enabling verification that -b ≤ val(Z i ) ≤ 2b and that val(X) = val(Z 1 ) 2 + … + val(Z 4 ) 2. This implies 0 ≤ x ≤ 16b 2 = B. Now 32b 2 < p, i.e. 16b 2 < p/2.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop New Challenge - Solved Proving Announced matching is stable involves statements: X s ( i ) ⌐ [ ( < ) ^ ( < ) ] X t ( i ) y i ( s ) y m Without Revealing TruthValue ( < ), TruthValue ( < ). X s ( i ) X t y i ( s ) y m EP can ZKP for posted COM(x), COM(y), COM(z) that: Val(Z) = 1 Val(x) < Val(y) 0 else

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Form of k-Translations Proof P 1, …, P n have submitted to EP values x 1, …. x n Form of proof created by EP: TR (1) = COM(X 1 (1) ), …, COM(X n (1) ),..., (translation of GSLC program) … TR (k) = COM(X 1 (k) ), …, COM(X n (k) ),..., (translation of GSLC program) How can VER ascertain that val(X j (1) ) = … = val(X j (k) ) = x j 1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x 1, …. x n

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop P 1 …P n submit Inputs x 1 … x n to EP P i, 1 ≤ i ≤ n, prepares 3k random representations Y 1 (i), …, Y 3k (i) of his value x i. P i submits commitments COM(Y 1 (i) ), …, COM(Y 3k (i) ) to the EP Purpose of multiple representations of value x i to enable EP to prepare multiple Translations of GSLC EP posts all commitments from all P i, 1 ≤ i ≤ n.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Secure Bulletin Board COM(Y 1 (1) ), COM(Y 2 (1) ),…, COM(Y 3k (1) ) COM(Y 1 (2) ), COM(Y 2 (2) ),…, COM(Y 3k (2) ) … COM(Y 1 (n) ), COM(Y 2 (n) ),…, COM(Y 3k (n) )

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Creating Additional Input Value Representations Every P i opens (reveals) Y 1 (i), …, Y 3k (i) to EP EP chooses L (say L = 10) EP constructs additional 6kL = m columns COM(X 1 (1) ), COM(X 2 (1) ),…, COM(X m (1) ) COM(X 1 (2) ), COM(X 2 (2) ),…, COM(X m (2) )(5) … COM(X 1 (n) ), COM(X 2 (n) ),…, COM(X m (n) )

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Proving Value Consistency Interactively with VER, EP proves 1)In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent. By definition, the common 2k majority of values in row i is P i ’s input x i. 2)In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix. 3)The interactive proof involves all input representations and 3kL columns of the matrix (5). 4)The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Assurance of Proof of Value Consistency Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then: Prob(VER accepts proof) ≤ 1/2 k

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Implementing EP by secure processor One possibility for an EP is a secure processor (SP) assumed to accept inputs and post results and proofs of correctness according to the previous protocols. No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness. Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x 1 through randomness employed in construction of a translation. Solution: Use another secure processor RSP – a universal source of randomness.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Experimental Results Comparing 100-bidder secrecy-preserving Vickrey auction using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ OperationNewHomomorphic Preparing the proof2 ms804 minutes Downloading the proof40 ms< 30 seconds Verifying the proof2 ms162 minutes

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Entities: E 1, …, E k ; candidates: C 1, …, C m E 1 preference list: C i1, …, C im C 1 preference list: E j1, …, E jk etc. Preference Lists: Secret EP computes stable matching can ZK prove correctness Matching Problems (H. Varian)