Zero Knowledge Proofs

Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:

Interactive proof  The verifier’s strategy is a probabilistic polynomial-time procedure.  Correctness requirements: Completeness: There exists a prover strategy P, such that for every x  L, when interacting on a common input x, the prover P convinces the verifier with probability at least 2 / 3. Soundness: For every x  L, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1 / 3.

Zero Knowledge Proof Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero- knowledge if for every probabilistic polynomial-time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L holds { (x)} x  L  {M * (x)} x  L Machine M * is called the simulator for the interaction of V * with P.

Perfect Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L the distributions { (x)} x  L and {M * (x)} x  L are identical, i.e., { (x)} x  L  {M * (x)} x  L

Statistical Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are statistically close.

Statistical Zero Knowledge Definition-cont.: The distribution ensembles {A x } x  L and {B x } x  L are statistically close or have negligible variation distance if for every polynomial p() there exits integer N such that for every x  L with |x|  N holds:   |Pr [A x =  ] – Pr [B x =  ]|  p(|x|) -1

Computational Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are computationally indistinguishable.

Computational Zero Knowledge Definition: Two ensembles {A x } x  L and {B x } x  L are computationally indistinguishable if for every probabilistic polynomial time distinguisher D and for every polynomial p() there exists an integer N such that for every x  L with |x|  N holds |Pr [D(x,A x ) = 1] – Pr [D(x,B x ) = 1]|  p(|x|) -1

Graph Isomorphism problem Definition Graph Isomorphism two graphs G 0 =(V 0,E 0 ) and G 1 =(V 1, G 1 ) are isomorphic   permutation  s.t  (u,v)  E 0  (  (u),  (v))  E1 if G 0 and G 1 are isomorphic and  is an isomorphism between G 0 to G 1 we write G 1 =  (G 0 ).

Graph Isomorphism problem Graph Isomorphism problem: Given Two Graphs G 1 and G 2 – Are They Isomorphic ? Lemma: GI  ZK Proof: Zero Knowledge Interactive Proof for GI.

Zero Knowledge Interactive proof for Graph Isomorphism 1. Repeat the following n times: 2. The Prover chooses a random permutation  of (1…n) and computes H=  (G 1 ) and send it to the verifier. 3. The verifier chooses randomly i=1 or 2 and sends it to the prover.

Zero Knowledge Interactive proof for Graph Isomorphism-cont. 4. The prover chooses permutation  s.t H =  (G i ). If i=1 the prover sends  to the verifier otherwise the prover will send   -1.(  is the isomorphism between G 1 and G The verifier checks if H is the image of G i under . 6. The verifier accepts if H is the image of G i in all n rounds.

Zero Knowledge Interactive proof for Graph Isomorphism- cont. Prover Verifier  H=  (G 1 ) i=1,2  or   -1 Checks if H is the image of G i R

Building simulator M* for graph isomorphism problem We will define simulator M* as follows: Input:(G 0, G 1 )  ISO 1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*. 2. Randomly chooses a  {0,1} and permutation  and construct H=  (Ga) send H to V*.

Building simulator M* for graph isomorphism problem 3. Receive b from V*. If b  {0,1} then outputs {RANDOM,H,b} and STOP. If a =b then outputs {RANDOM,H,b,  } and STOP;else GOTO 1.

Zero-Knowledge Password Proofs 1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier 2. r is a random number belongs to [n, n 4 ]. The prover sends x 2 modn and r 2 modn to the verifier. 3. The verifier then randomly asks for r or xr and checks the prover.

Zero-Knowledge Password Proofs Prover Verifier n=pq x 2 modn r 2 modn Asks for xr or r xr or r Checks the Prover

NP and Zero Knowledge proofs Lemma: NP  ZK Proof: 3col  ZK.

Zero Knowledge proof for 3col problem 1. The prover randomly chooses a permutation . Computes  (c(v)), puts in envelopes and sends to the verifier. 2. The verifier chooses randomly: (u,v)  E and opens the envelope. If the colors are different and legal he answers “yes”.

Zero Knowledge proof for 3col problem Prover Verifier permutation .  (c(v)) Chooses (u,v)  E envelope Checks that colors are different

ZK protocol for Co-SAT Transform the CNF to a polynom by these transformation rules: 1. T  positive value 2. F  0 3. X i  X i 3.  X i  (1-X i ) 4. OR  + 5. AND 

ZK protocol for Co-SAT The protocol: 1. The prover selects a prime number q > 2 n 3 m and sends to the verifier. 2. The verifier checks that q is prime. If q isn’t prime halts and rejects.

ZK protocol for Co-SAT 3. V 0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom P i that it’s rank is at most m. The construction of P i : P 1 (x)=  x n =0,1 ….  x n=0,1 p(x 1 … x n ) P 2 (x)=  x n =0,1 ….  x n=0,1 p(r 1, x, x 3 … x n ) P n (x)= p(r 1,... R n-1, x n ) the prover puts polynom P i in envelopes and send to the verifier.

ZK protocol for Co-SAT 4. The prover moves to the next stage(i=i+1). 5. We know that the verifier will accept if  r 1… r i … r n s.t P i (0) + P i (1)= v i -1modq. Since checking each assignment is polynomial this problem is in NP. We can now do a reduction from any NP problem to 3col  ZK.

ZK protocol for Graph non isomorphism Definition Graph non Isomorphism given two graphs G 0 =(V 0,E 0 ) and G 1 =(V 1, G 1 ). (G 0, G 1 )  GNI  there is no permutation  s.t  (u,v)  E 0  (  (u),  (v))  E 1

ZK protocol for Graph non isomorphism 1. The verifier chooses randomly a number i  (0,1). The verifier chooses a random permutation  and computes H =  (G i ). Then the verifier chooses randomly j  (0,1). The verifier creates the pair of graphs (H 0, H 1 ) such that: if j=0: H 0 is a permutation of G 0 H 1 is a permutation of G 1

ZK protocol for Graph non isomorphism if j=1: H 0 is a permutation of G 1 H 1 is apermutation of G 0 the verifier sends H and the pair (H 0, H 1 ).

ZK protocol for Graph non isomorphism 2. The prover chooses randomly b  (0,1). The prover sends b to the verifier. If b=0 then the verifier sends the prover the isomorphism between (G 0, G 1 ) and (H 0, H 1 ). If b=1 the verifier sends the prover the isomorphism between H and (H 0, H 1 ).

ZK protocol for Graph non isomorphism 3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that G b is isomorphic to H and sends b to V. If there is no such b, the prover sends a random b. 4. The verifier accepts if j=b.

ZK protocol for Graph non isomorphism Prover Verifier 1.Isomorphism between (G 0, G 1 ) and (H 0, H 1 ). OR 2.Isomorphism between (H 0, H 1 ) and H. Check isomorphism computes b checks that j=b 1. i  (0,1) 2.H =  (Gi) 3. H and the pair (H 0, H 1 )

ZK protocol for Graph non isomorphism Lemma: GNI  PZK Proof : building M* s.t { (x)} x  L  {M * (x)} x  L 1. The machine M* takes random string of bits and puts ot on a Random tape.

ZK protocol for Graph non isomorphism M v * does the following n times: 2. M v * waits to get H and the pair (H 0, H 1 ) from V*. 3. M v * chooses a random b. 4. M v * gets from V* the isomorphism between H and (H 0, H 1 ) and (G 0, G 1 ). M v * checks if it is not the right isomorphism it stops.

Otherwise:1. Returns V* to the point after H and (H 0, H 1 ) were received. 2. choose b’ again and sends to V* 3. Waits to get I’ from V* I’- isomorphism received from V*. ZK protocol for Graph non isomorphism

If b’  b then the M v * finds isomorphism from I and I’, from G 0,G 1 to (H 0, H 1 ) and from (H 0, H 1 ) to H. The machine uses this information to find Isomorphism from H to G 0, G The machine M v * uses this information to compute V* and sends it to V*. ZK protocol for Graph non isomorphism