Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.

Published byAshlee Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous."— Presentation transcript:

1 Zero-Knowledge Proofs Ben Hosp

2 Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous demonstration that a statement is true or false.

3 Classical Proof Systems Suppose we have a language of assertions and proofs over some finite alphabet. Let L be the language of true assertions, that is, assertions that have proofs. Let L be the language of true assertions, that is, assertions that have proofs. We can define a classical proof system for L as an algorithm V such that: True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. The Completeness property. False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. The Soundness property For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. The Efficiency property.

4 Graph Isomorphism G = ([n],E) Perm(G) = ([n], E’) E’ = {(Perm(u), Perm(v)): (u,v) is in E} E’ = {(Perm(u), Perm(v)): (u,v) is in E} If there exists G,H such that Perm(G) = H, then G and H are isomorphic and Perm is an isomorphism between G and H.

5 Classical Proof System for Graph Isomorphism V(Graph G, Graph H, Permutation p) { if (p(G) == H) { // O(|[n]|) time return 1; // accept the proof; else { return 0; // reject the proof }}

6 NP A review: NP is the class of problems which can be solved with a nondeterministic-polynomial algorithm. for each i in 1…answer.size G: answer[i] = guess(i); // magically provides the // next bit of the answer // next bit of the answer if (!verify(answer, i)) // checks that answer goto G; // is correct so far in end if // polynomial time end if // polynomial time end for

7 Classical Proofs are NP So NP is exactly the class of languages with classical proof systems. If we have an assertion, we can verify any proof for it in polynomial time. The problem “Is x is in L” is in NP.

8 What Is A Proof?

9 What Do You Learn From A Proof? A lot more than the truth of an assertion. You learn enough to convince others of the truth of that assertion. You learn enough to convince others of the truth of that assertion. The “classical” way to prove “There exists x...” is to provide an example of x. What if you want to prove: What if you want to prove: “There exists x” “I know x” Without telling you x or (ideally) any information about x.

10 Ali Baba’s Cave There is a magic cave like this: But Ali Baba knows there is a secret door here: Ali Baba knows the cave is a loop, but no one else does.

11 Ali Baba’s Cave How can Ali Baba prove to you that the magic door exists? Classical proof would give away the secret. Classical proof would give away the secret. But Ali Baba can convince you the door exists by having you watch him go down one tunnel and come out the other. We need a new class of proofs.

12 Interactive Proofs Interactive proofs are based on the interaction between a prover P with a verifier V. P wants to prove something to the verifier. P wants to prove something to the verifier. An interaction protocol is a pair of functions mapping strings to strings. In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response. In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response.

13 Probabilistic Proofs Proofs based on interactive protocols are probabilistic. There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. We can define a probalistic proof system for L as an interactive protocol (P,V) such that: For all x in the assertion language (P,V)(x) halts in polynomial time. For all x in the assertion language (P,V)(x) halts in polynomial time. The Efficiency property. If x is in L, then (P,V)(x) accepts with probability at least  If x is in L, then (P,V)(x) accepts with probability at least  The Completeness property. If y is not in L, then (P,V)(x) accepts with probability at most  If y is not in L, then (P,V)(x) accepts with probability at most  The Soundness property Where 1 >=  >  >= 0 Where 1 >=  >  >= 0 We can repeat such a proof multiple times to make the chance of false positive or negative negligible.

14 IP IP is the class of languages with Interactive (Probabilistic) proofs. NP is a subset of IP P can send V a classical proof to check P can send V a classical proof to check IP is thought to be a strict superset of NP

15 Graph Non-Isomorphism No classical proof system is known for the question of whether graphs G and H are non-isomorphic. We can check all possible permutations of G but this takes exponential time. We can check all possible permutations of G but this takes exponential time. Observations on this problem: Let ICP(G) be the set of isomorphic copies of the G. Let ICP(G) be the set of isomorphic copies of the G. If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. Because ICP(G) = ICP(H)

16 Interactive Proof System for Graph Non-Isomorphism Suppose we have G 0 =([n],E 0 ) and G 1 =([n],E 1 ). V randomly selects C = G 0 or G 1, and a permutation p. V sends p(C) to P. P determines whether p(C) is an isomorphic copy of G 0 or G 1, and sends that back to V. If V receives the same graph as it chose, it accepts P’s proof that G 0 and G 1 are non- isomorphic, otherwise it rejects. V has demonstrated the ability to tell the difference between elements of ICP(G 0 ) and ICP(G 1 ). V has demonstrated the ability to tell the difference between elements of ICP(G 0 ) and ICP(G 1 ).

17 Zero-Knowledge Proofs P is going to prove an assertion to V without giving V any information other than the truth of the assertion. In other words, V can simulate a proof of the assertion and get something that is computationally indistinguishable from a proof V actually got from P. V does not even learn enough to prove the assertion to another party.

18 NP is a subset of ZP Every language with a classical proof system has a zero-knowledge proof system. Consider the graph 3-coloring problem: G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). A classical proof that a graph has a 3- coloring is such a 3-coloring. How can we prove a 3-coloring exists without revealing any information about it?

19 Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. V randomly chooses (x,y) in E and sends it to P. P sends C x and C y to V. V rejects if C x = C y and accepts otherwise.

20 Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. For each vertex v in [n], P encrypts it with a key K v, and sends E Kv (C(v)) to V. V randomly chooses (x,y) in E and sends it to P. P sends K x and K y to V. V rejects if D Kx (E Kx (C(x))=D Ky (E Ky (C(y)), and accepts otherwise.

21 Zero-Knowledge Proof System for Graph 3-coloring G=([n],E). P knows that C is a 3-coloring of G. P randomly chooses p, a permutation of {R,G,B}. Clearly p(C) = C’ is also a 3-coloring of G. For each vertex v in [n], P encrypts it with a key K v, and sends E Kv (C’(v)) to V. V randomly chooses (x,y) in E and sends it to P. P sends K x and K y to V. V rejects if D Kx (E Kx (C’(x))=D Ky (E Ky (C’(y)), and accepts otherwise.

22 Zero-Knowledge Proof System for Graph 3-coloring Since p(C)=C’ is a proper 3-coloring of G, C’(x) will never equal C’(y) if x and y are adjacent. If C is not a proper 3-coloring of G, C’(x) will sometimes equal C’(y) when x and y are adjacent. We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. V has learned whether a 3-coloring of G exists, but nothing about it. The only information V has received from P is 2 distinct colors. The only information V has received from P is 2 distinct colors. V could have generated that information on its own. V could have generated that information on its own.

Download ppt "Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous."

Similar presentations

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.

1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Protocols to do seemingly impossible 1 CHAPTER 10: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.

Protocols to do seemingly impossible 1 CHAPTER 10: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Similar presentations

Ads by Google