Embed Size (px)
Citation preview
Digest of
Foundations of Cryptography: Basic Tools
A few words
“Foundations of Cryptography: Basic Tools” is a book using the most rigorousformal treatment to some cryptography foundation problems that I have everread. Furthermore, the book uses a universal notation to present the materialsthat enables the readers to follow a coherent formalizing method. These arethe extreme good aspects of the book. However, it is really not easy to followthe author’s flow, possibly because the book covers too many materials in thelimited space and many subtle points are explained as comments.
Because I think that one of the most important goals of reading this book is tounderstand the foundation problems intuitively, then be able to understand theformal models of these problems and finally be able to formalize new problems,I made a digest of the book which merely lifts the formal definitions and someconstructions from the book, but with a few comments and extensions, speciallyin the zero-knowledge chapter. Note that the “hybrid” proof method and thereduction methodology used in the book are also very important.
As this digest just includes some notes I made when I was reading this wonderfulbook (some parts of the digest marked by ♣ are still missing), I do not knowany meaning of it to you. I upload the file online just because I do not want tobury the file in my computer forever. If you could find that this digest is helpfulto you in some way, I would be extremely delighted.
I do NOT own the copyright of this digest and I am NOT responsible for anyconsequence of distributing this digest.
Of course, all the error in this digest are mine.
Zhaohui [email protected] 3, 2004
1
Contents
1 Preliminaries 41.1 Some Background from Probability Theory . . . . . . . . . . . . 41.2 The Computational Model . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 P,NP,NP − CO,NPC . . . . . . . . . . . . . . . . . . . 51.2.2 Randomized Algorithms . . . . . . . . . . . . . . . . . . . 6
2 Computation Difficulty 92.1 One-Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2 One-Way Functions as Collections . . . . . . . . . . . . . . . . . 132.3 Hard-Core Predicates . . . . . . . . . . . . . . . . . . . . . . . . 152.4 One-Way Predicates . . . . . . . . . . . . . . . . . . . . . . . . . 162.5 ♣Computation Difficulty Assumptions and Related Bit Security
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3 Pseudorandom Generators 193.1 Computational Indistinguishability . . . . . . . . . . . . . . . . . 193.2 Pseudorandom Generators . . . . . . . . . . . . . . . . . . . . . . 213.3 Pseudorandom Generator Constructor . . . . . . . . . . . . . . . 233.4 Pseudorandom Functions . . . . . . . . . . . . . . . . . . . . . . 253.5 Psuedorandom Permutations . . . . . . . . . . . . . . . . . . . . 283.6 Two Different Views on Using Pseudorandom Functions . . . . . 30
4 Zero-Knowledge Systems 334.1 About Knowledge and Its Proof . . . . . . . . . . . . . . . . . . . 334.2 Interactive Proof Systems . . . . . . . . . . . . . . . . . . . . . . 334.3 Construction Tools: Commitment Schemes . . . . . . . . . . . . 38
4.3.1 Computationally Hiding and Perfectly Binding Commit-ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.3.2 Perfectly Hiding and Computationally Binding Commit-ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.3 Non-Oblivious Perfectly Binding and Computationally Hid-ing Commitments . . . . . . . . . . . . . . . . . . . . . . 43
4.3.4 Two-Sender Commitments . . . . . . . . . . . . . . . . . 444.3.5 Commitments with Poly-Logarithm Efficiency . . . . . . . 46
2
4.3.6 Commitments with Trapdoor . . . . . . . . . . . . . . . . 464.3.7 Commitments with Extraction . . . . . . . . . . . . . . . 47
4.4 Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . . . . . 494.4.1 Simulation Paradigm . . . . . . . . . . . . . . . . . . . . . 494.4.2 Define Zero-Knowledge Proof Systems . . . . . . . . . . . 50
4.5 Zero-Knowledge Proofs for NP . . . . . . . . . . . . . . . . . . . 564.6 Negative Results Related to Zero-Knowledge Proofs . . . . . . . 584.7 The Simulation Paradigm: Black-Box and Non-Black-Box Simu-
lators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594.7.1 Black-Box Zero-Knowledge . . . . . . . . . . . . . . . . . 594.7.2 Non-black-box Simulator . . . . . . . . . . . . . . . . . . 61
4.8 Computationally Sound Proofs: Arguments . . . . . . . . . . . . 634.9 Constant-Round Zero-Knowledge Protocols . . . . . . . . . . . . 64
4.9.1 Constant-Round Zero-knowledge Proofs . . . . . . . . . . 654.9.2 Constant-Round Zero-knowledge Arguments . . . . . . . 67
4.10 Witness Indistinguishability and Hiding . . . . . . . . . . . . . . 684.10.1 Witness Indistinguishability . . . . . . . . . . . . . . . . . 694.10.2 Witness Hiding . . . . . . . . . . . . . . . . . . . . . . . . 70
4.11 Composition of Zero-Knowledge Systems . . . . . . . . . . . . . . 724.11.1 Parallel Composition . . . . . . . . . . . . . . . . . . . . . 724.11.2 Concurrent Composition . . . . . . . . . . . . . . . . . . . 73
4.12 Proofs of Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . 744.12.1 Definitions and Examples . . . . . . . . . . . . . . . . . . 744.12.2 Application of Proofs of Knowledge . . . . . . . . . . . . 79
4.13 Non-Interactive Zero-Knowledge . . . . . . . . . . . . . . . . . . 824.14 Multi-Prover Zero-Knowledge Proofs . . . . . . . . . . . . . . . . 854.15 Ressetable Zero-knowledge . . . . . . . . . . . . . . . . . . . . . . 874.16 ♣Knowledge Complexity . . . . . . . . . . . . . . . . . . . . . . . 89
3
Chapter 1
Preliminaries
1.1 Some Background from Probability Theory
• Expectation: E(X) =∑
v Pr[X = v] · v.
• Variance: V ar(X) = E[(X − E(X))2].
• Markov Inequality: Let X be a non-negative random variable and v areal number. Then
Pr[X ≥ v] ≤ E(X)v
Equivalently, Pr[X ≥ r · E(X)] ≤ 1r .
• Chebyshev’s Inequality: Let X be a random variable, and δ > 0. Then
Pr[|X − E(X)| ≥ δ] ≤ V ar(X)δ2
• Pairwise-Independent Sampling: Let X1, X2, . . . , Xn be pairwise in-dependent variables with the same expectation, denoted µ, and the samevariance, denoted σ2. Then, for every ε ≥ 0,
Pr[|∑n
i=1 Xi
n− µ| ≥ ε] ≤ σ2
ε2n
• Chernoff Bound: Let p ≤ 12 , and let X1, X2, . . . , Xn be independent
0-1 random variables, so that P [Xi = 1] = p for each i. Then for all ε,0 ≤ ε ≤ p(1− p), we have
Pr[|∑n
i=1 Xi
n− p| > ε] < 2 · e− ε2
2p(1−p) ·n
4
• Hoefding Inequality: Let X1, X2, . . . , Xn be n independent randomvariables with the same probability distribution, each ranging over the(real) interval [a, b] and let µ denote the expected value of each of thesevariables. Then, for every ε > 0,
Pr[|∑n
i=1 Xi
n− µ| > ε] < 2 · e− 2ε2
(b−a)2)·n
1.2 The Computational Model
1.2.1 P ,NP ,NP − CO,NPC• Complexity Class P: A language L is recognizable in (determinis-
tic) polynomial time if there exits a deterministic Turing machine Mand a polynomial p(·) such that
– on input a string x, machine M halts after all most p(x) steps, and
– M(x) = 1 if and only if x ∈ L.
P is the class of languages that can be recognized in (deterministic) poly-nomial time.
• Complexity Class NP: A language L is in NP if there exits a Booleanrelation RL ⊆ {0, 1}∗ × {0, 1}∗ and a polynomial p(·) such that RL canbe recognized in (deterministic) polynomial time, and x ∈ L if and onlyif there exits a y such that y ≤ p(x) and (x, y) ∈ RL. Such a y is called awitness for membership of x ∈ L.
• Complexity Class NP − CO: A language L is in NP if there exits aBoolean relation RL ⊆ {0, 1}∗ × {0, 1}∗ and a polynomial p(·) such thatRL can be recognized in (deterministic) polynomial time, and x /∈ L ifand only if there exits a y such that y ≤ p(x) and (x, y) ∈ RL. Such a yis called a witness for nonmembership of x /∈ L.
• NPC: A language is NP-complete if it is in NP and every languagein NP is polynomial reducible to it. A language L is polynomiallyreducible to a language L
′if there exists a polynomial-time-computable
function f such that x ∈ L if and only if f(x) ∈ L′.
• Remark on Polynomially Reducible: Assume that to solve a problemK, we can construct an algorithm F which uses algorithm B that solvesproblem T as a subroutine. If when regarding B as a basic operation unit,algorithm F is polynomial in basic operation unit, we say that problem Kis polynomially reducible to problem T .
• Relationship between P,NP,NPC,NP − CO:
1. P ⊆ NP; P ⊆ NP − CO;
5
2. NPC ⊂ NP;
3. P = ?NP; NP = ?NP − CO; P = ?NP ∩NP − CO.
• NP-hard: A problem is NP-hard if there exits some NP-complete prob-lem that polynomially reduces to it. (NP-hard problem is not restrictedto only decision problems, but needs to find the witness.)
1.2.2 Randomized Algorithms
• Zero-Sided Probabilistic Polynomial Time, ZPP: We say that L isrecognized by the zero-sided probabilistic polynomial-time Turingmachine M if
– for every x ∈ L, it holds that Pr[M(x) = 1] = 1, and
– for every x /∈ L, it holds that Pr[M(x) = 0] = 1.
• One-Sided Probabilistic Polynomial Time, RP: We say that L isrecognized by the one-sided probabilistic polynomial-time Turingmachine M if
– for every x ∈ L, it holds that Pr[M(x) = 1] ≥ 12 (or any constant ε),
and
– for every x /∈ L, it holds that Pr[M(x) = 0] = 1.
• Bounded Probabilistic Polynomial Time, BPP: We say that L isrecognized by the bounded probabilistic polynomial-time Turing ma-chine M if
– for every x ∈ L, it holds that Pr[M(x) = 1] ≥ 23 (Pr[M(x) = 0] ≤ 1
3 ),and
– for every x /∈ L, it holds that Pr[M(x) = 0] ≥ 23 (Pr[M(x) = 1] ≤ 1
3 ).
• Equivalent definition of BPP: L ∈ BPP if there exits a polynomialp(·) and a probabilistic polynomial-time machine M such that
– for every x ∈ L, it holds that Pr[M(x) = 1] ≥ 12 + 1
p(n) , and
– for every x /∈ L, it holds that Pr[M(x) = 0] ≥ 12 + 1
p(n) .
• Equivalent definition of BPP: For every L ∈ BPP and every poly-nomial p(·), there exits a probabilistic polynomial-time machine M suchthat
– for every x ∈ L, it holds that Pr[M(x) = 1] ≥ 1− 2−p(n), and
– for every x /∈ L, it holds that Pr[M(x) = 0] ≥ 1− 2−p(n).
• P ⊆ ZPP ⊆ RP ⊆ BPP; RP ⊆ NP; NP? ⊆ BPP.
6
• A cryptography problem is in NP because obviously it is easy to verify thesolution once found. As the problem in BPP has an efficient solution inpractice, and a cryptography problem is in NP, the basic requirement ofexisting sound cryptography is that there exits a problem in NP but notin BPP. However, the above requirement does not suffice. Cryptographyrequires that the used problem is hard to break on the average instead ofin the worst case.
• If NP is not contained in BPP then P 6= NP. And sufficiently strongone-way functions imply P = BPP, hence BPP ⊆ NP.
• Two Points of View on Randomized Algorithms: One way is thatgiven an input x, machine M tosses coins. Assume the number of cointosses made by M on input x is independent of their outcomes and isdenoted by tM (x). Denote the output of M on input x when r is theoutcome of M ’s internal coin tosses by Mr(x). Then
Pr[M(x) = y] =|{r ∈ {0, 1}tM (x) : Mr(x) = y}|
2tM (x)
The second view is that the outcome of internal coin tosses of the machineis an auxiliary input. Then machine M has two inputs: x as the originalinput and r uniformly chosen from {0, 1}tM (x) for x. Now the machine isdenoted by M(x, r).
• Non-Uniform Polynomial Time Machine (M, a): M is a two-inputpolynomial-time Turing machine and a = a1, a2 . . . is an infinite sequenceof strings such that |an| = poly(n) (this means that there exists a poly-nomial p such that |an| = p(n) for all n ∈ N). For every x, M has twoinput x and a|x|. Note that for all input x of the same length the secondinput a|x| to M is the same (i.e., a|x| is fixed). (For the uniform ran-domized algorithm, for different x, the coins are tossed independently).Intuitively a|x| may be useful in some cases, but it is unlikely to encodeenough information to be useful for all 2|x| x’s. However, we can finda polynomial in the length of input x larger enough that the randomstring with length bounded by the polynomial encodes enough informa-tion for almost all the inputs of the same length. On the other hand,we can regard the pair (M, (a1, a2, . . .)) as an infinite sequence of Turingmachines M1,M2, . . . such that Ma|x|(x) = M(x, a|x|) (because ai is fixedfor each i, then we rewrite the notation Mi as Mi = Mai = M(x, ai) with|x| = i. Thus Mi is only used for inputs with length i.). We also canconvert the machine sequence into a pair (U, (〈M1〉, 〈M2〉, . . .)) where U isa universal Turing machine and 〈Mn〉 is the description of machine Mn.(U(x, 〈M|x|〉) = M|x|(x) = Ma|x|(x))
• The complexity class non-uniform polynomial time (denoted P/poly) isthe class of languages L that can be recognized by a non-uniform sequence
7
of polynomial time machines. Namely, L ∈ P/poly if there exists aninfinite sequence of machines M1, M2, . . . satisfying the following:
1. There exists a polynomial p(·) such that for every n, the descriptionof machine Mn has length bounded above by p(n).
2. There exists a polynomial q(·) such that for every n, the running timeof machine Mn has length bounded above by q(n).
3. For every n and every x ∈ {0, 1}n, machine Mn will accept x if andonly if x ∈ L.
• BPP ⊆ P/poly. Hence assuming a problem cannot be solved by P/poly isa stronger assumption, and it implies that the problem cannot be solvedby a BPP machine. However, this theorem is only true in reasonablecases.
• Non-Uniform Circuit Families: A Boolean circuit is a directedacyclic graph with internal nodes marked by elements of {∨,∧,¬}. Nodeswith no in-going edges are called input nodes, and nodes with no out-going edges are called output nodes. The size of a circuit is the numberof its edges. A polynomial-size circuit family is an infinite sequenceof Boolean circuits C1, C2, . . . such that for every n, the circuit Cn hasn input nodes and size p(n), where p(·) is a polynomial fixed for the en-tire family. The computation of a Turing machine M on inputs of lengthn can be simulated by a single circuit with n input nodes having sizeO((|〈M〉| + n + t(n))2) where t(n) is a bound on the running time of Mon inputs of length n. The converse is also true.
8
Chapter 2
Computation Difficulty
(Public key) cryptography is about computation difficulty. Basically cryptogra-phy requires that given a problem instance from a pool, a legitimate principalwith auxiliary information can solve the problem easily (i.e., in polynomialtime), on the other hand, an adversary without the auxiliary information hasdifficulty to solve the problem (i.e., no probabilistic polynomial-time solution).And cryptography requires more. The sufficient condition of a cryptography is
1. Existence of efficient way to generate each problem instance and the re-lated auxiliary input.
2. The problem instance is easy to solve with the auxiliary input.
3. The instance is hard on average without auxiliary input.
The average hardness is captured by the notion One-Way Function (OWF)and the auxiliary input is defined as a Trapdoor.
2.1 One-Way Functions
• Strong One-Way Function: A function f : {0, 1}∗ → {0, 1}∗ is called(strong) one-way if the following two conditions hold:
1. Easy to compute: There exists a (deterministic) polynomial-timealgorithm A such that on input x algorithm A outputs f(x) (i.e.,A(x) = f(x)).
2. Hard to invert. For every probabilistic polynomial-time algorithmA′, every positive polynomial p(·), and all sufficiently large n′s (thereexists N , for every n > N)
Pr[A′(f(Un), 1n) ∈ f−1(f(Un))] <
1p(n)
9
The probability is taken over the possible value assigned to Un and all thepossible internal coin tosses of A′.
• A few remarks on the definition:
1. f(x) is not necessary 1-1 function and f−1(f(x)) denotes the pre-image set of f(x).
2. A′ only needs to find a pre-image of f(x), not necessarily x.
3. 1n is given to A′ just to make sure that A′ has enough time to makeeffort. Because the running time of A′ is bounded by a polynomial ofinput length and on the other hand it is possible that |f(x)| shrinksdramatically from |x| (e.g., |x| = log|f(x)|). If f(x) preserves thelength, then 1n is redundant.
4. The distribution of f(x) is not necessarily a uniform distribution onthe range of f . Even so, it still requires that A′ can only succeedwith negligible probability.
5. Both domain and range of f are infinitely large.
6. The probability of A′ is measured with respect to both the randomchoices made by A′ and the distribution of (main) input to A′ (i.e.,f(x)).
7. The average hardness of f is addressed by the uniform distributionrequirement of x ∈ Un.
8. The One-Way Function notion cannot be used directly in practice toguarantee the hardness of a problem. The definition doesn’t specifyany bound of the most important parameter n. In fact, n is varyingon different A′ and p(·). It captures the idea that given a smartestalgorithm A′, if an adversary tries to find the pre-image of x by run-ning A′ polynomial times which is bounded by a polynomial (p(|x|))of length of x, we always can thwart the adversary by extending theuniform domain of x to some size (n). The second condition guaran-tees that such n always exits. Hence n is decided by the estimationof A′’s ability and acceptable polynomial p(·).
9. The counter (reverse) definition of condition 2 is (non-negligible):There exists a probabilistic polynomial-time A′ and a positive poly-nomial p(·), such that there are infinitely many n’s (for every N ,there exists n > N),
Pr[A′(f(Un), 1n) ∈ f−1(f(Un))] ≥ 1− 1
p(n)
10. It is not clear whether OWF exists. But if OWF exits, that impliesP = BPP.
11. The probability as a function ε(n) of the input length n is negligibleif it is bounded above by every polynomial fraction. The function
10
µ : N → R is noticeable if there exists a polynomial p(·) such thatfor all sufficiently large n′s, it holds that µ(n) > 1
p(n) . Non-negligibleis different from noticeable. A function can be neither negligible nornoticeable.
• Weak One-Way Function: A function f : {0, 1}∗ → {0, 1}∗ is calledweakly one-way if the following two conditions hold:
1. Easy to compute: There exists a (deterministic) polynomial-timealgorithm A such that on input x algorithm A outputs f(x) (i.e.,A(x) = f(x)).
2. Slightly hard to invert. There exist a polynomial p(·) such that forevery probabilistic polynomial-time algorithm A′, and all sufficientlylarge n′s (there exists N , for every n > N)
Pr[A′(f(Un), 1n) /∈ f−1(f(Un))] >
1p(n)
• Let I be a polynomial-time-enumerable set, and let f be strongly(resp., weakly) one-way on lengths in I. Then we can construct a strongly(resp., weakly) one-way in the ordinary sense (i.e., the domain and rangeare infinitely large). g : {0, 1}∗ → {0, 1}∗ by g(x) = f(x′) where f is aone-way function on lengths in I and x = x′x′′ such that x′ is the longestprefix of x with length in I.)
• We can construct length-regular and length-preserving one-way func-tion from an ordinary one-way function. For length-regular construc-tion, f ′(x) = f(x)10p(|x|)−|f(x)| and for length-preserving constructionf ′′(x′x′′) = f ′(x′) where |x′x′′| = p(|x′|)+1. Note that f(x) is an one-wayfunction and |f(x)| ≤ p(|x|).
• Non-Uniformly Strong One-Way Function: A function f : {0, 1}∗ →{0, 1}∗ is called non-uniformly one-way if the following two conditionshold:
1. Easy to compute: There exists a (deterministic) polynomial-timealgorithm A such that on input x algorithm A outputs f(x) (i.e.,A(x) = f(x)).
2. Hard to invert. For every (even non-uniform) family of polynomial-size circuits{Cn}, every positive polynomial p(·), and all sufficientlylarge n′s (there exists N , for every n > N)
Pr[Cn(f(Un, 1n) ∈ f−1(f(Un))] <1
p(n)
• Constructing weakly one-way functions. We can construct a weaklyone-way function from any one-way function. This implies that weak
11
one-way functions exit (not all the one-way functions are strongly one-way). (Construction: g(p, x) = (p, f(x)) if p starts with log2|x| zeros, andg(p, x) = (p, x) otherwise. Note that |p| = |x|).
• Constructing a strong one-way function from a weak one. Weakone-way functions exist if and only if strong one-way functions exit. (Wecan construct a strong one-way function from a weak one-way function.This implies that not wall the one-way functions are weakly one-way.)
1. Construction 1.
g(x1, . . . , xt(n)) = f(x1), . . . , f(xt(n))
where |x1| = |x2| = · · · = |xt(n)| = n and t(n) = n · p(n) and 1/p(n)is the low-bound of any A’s failure probability to convert weakly one-way function f . Note that the input length of g is n2 · p(n). Theproof can be completed by a so called hybrid method.For i = 1 to t(n) do(a) Select uniformly and independently a sequence of strings x1, . . . , xt(n) ∈
{0, 1}n.(b) Compute (z1, . . . , zt(n)) ← B′(f(x1), . . . , f(xi−1), y, f(xi+1), . . . , f(xt(n))).(c) If f(zi) = y, then halt and output zi.
2. Construction 2. Let {Gn}n∈N be a family of d-regular graphs, sothat Gn has vertex set {0, 1}n and self-loops at every vertex. Con-sider a labelling of the edges incident to each vertex (using the labels1, 2, . . . , d). Define gl(x) to be the vertex reachable from vertex xby following the edge labelled l. Let f : {0, 1}∗ → {0, 1}∗ be a 1-1 length-preserving function, and let λ denote the empty sequence.Then for every k ≥ 0, x ∈ {0, 1}n and σ1, σ2, . . . , σk ∈ {1, 2, . . . , d},define F (x, λ) = x and
F (x, σ1, σ2, . . . , σk) = σ1, F (gσ1(f(x)), σ2, . . . , σk)
That is,F (x, σ1, σ2, . . . , σk) = σ1, σ2, . . . , σk, y
wherey = gσk
(f(· · · (gσ2(f(gσ1(f(x)))) · · · ))Construction 2 is an efficient amplification of one-way function. Theefficiency can be evaluated by the following notion (quantitative one-wayness).
• Quantitative One-Wayness: Let T : N → N and ε : N → R bepolynomial-time-computable functions. A polynomial-time-computablefunction f : {0, 1}∗ → {0, 1}∗ is called ε(·)-one-way with respect to timeT (·) if for every algorithm A′, with running time bounded by T (·) an allsufficiently large n’s,
Pr[A′(f(Un)) /∈ f−1(f(Un))] > ε(n)
12
• Efficient Amplification. Let p(·) be a polynomial, and T : N → N func-tion. Suppose that f is polynomial-time-computable permutation thatis 1
p(·) -one-way with respect to time T (·). Then there exists a constantγ > 1, a polynomial q, and a polynomial-time-computable permutation Fsuch that for every polynomial-time-computable function ε : N → [0, 1],the function F is (1 − ε(·))-one-way with respect to time T ′ε(·), whereT ′ε(γ · n) = ε(n)2
q(n) T (n)
• There exists a polynomial-time-computable function that is (strongly)one-way if and only if one-way functions exit.
2.2 One-Way Functions as Collections
In practice, we always use functions with domain and range that are finite sets.
• Collection of Functions: A collection of functions consists of an infi-nite set of indices, denoted I, and a corresponding set of finite functions,denoted {fi}i∈I . That is, for each i ∈ I, the domain of the function fi,denoted Di, is a finite set.
• Collection of One-Way Functions: A collection of {fi : Di → {0, 1}∗}i∈I
is called strongly (resp. weakly) one-way if there exists three probabilis-tic polynomial-time algorithm I, D and F such that the following twoconditions hold:
1. Easy to sample and compute: The output distribution of algorithmI on input 1n is a random variable assigned in the set I ∩ {0, 1}n.The output distribution of algorithm D on input i ∈ I is a randomvariable assigned value in Di. On input i ∈ I and x ∈ Di, algorithmF always outputs fi(x).
2. Hard to invert: For every probabilistic polynomial-time algorithmA′, every positive polynomial p(·), and all sufficiently large n′s (thereexists N , for every n > N)
Pr[A′(f(Xn), In) ∈ f−1
In(fIn(Xn))] <
1p(n)
where In is a random variable describing the output distribution ofalgorithm I on input 1n, and Xn is a random variable describing theoutput of algorithm D on input In.
• A few remarks on the definition:
1. The output of I on input 1n can be with length of p(n) instead of n.
2. It is possible that I will fail but with negligible probability.
3. It is possible that the output of I not in I so long as the probabilitythat I(1n) /∈ I ∩ {0, 1}p(n) is a negligible function in n.
13
4. For some I, there exists an efficient algorithm to decide the member-ship of I, and there exists an efficient algorithm to decide whether ornot x ∈ Di given i ∈ I.
• Collection of Trapdoor Permutations: Let I : 1∗ → {0, 1}∗ × {0, 1}∗be a probabilistic algorithm, and let I1(1n) denote the first element ofthe pair output by I(1n). A tripe of algorithms, (I, D, F ) is called acollection of strong (resp., weak) trapdoor permutations if the followingtwo conditions hold:
1. The algorithms induce a collection of one-way permutations: Thetriple (I1, D, F ) constitutes a collection of strong (resp., weak) one-way permutations.
2. Easy to invert with trapdoor. There exists a (deterministic) polynomial-time algorithm denoted F−1, such that for every (i, t) in the rangeof I and for every x ∈ Di, it holds that F−1(t, fi(x)) = x.
• By relaxing the definition to allow some negligible failures, the reviseddefinition: Collection of Trapdoor Permutations: Let I ⊆ {0, 1}∗and In = I ∩ {0, 1}n. A collection of permutations with indices in I is aset {fi : Di → Di}i∈I such that each fi is 1-1 on the corresponding Di.Such a collection is called a trapdoor permutation if there exist four prob-abilistic polynomial algorithm I,D, F and F−1 such that the followingfive conditions hold:
1. Index and trapdoor selection: For every n,
Pr[I(1n) ∈ In × {0, 1}∗] > 1− 2−n
2. Selection in domain: For every n ∈ N and i ∈ In,(a) Pr[D(i) ∈ Di] > 1− 2−n
(b) Conditioned on D(i) ∈ Di, the output is uniformly distributedin Di. That is for every x ∈ Di,
Pr[D(i) = x|D(i) ∈ Di] =1|Di|
Thus, Di ⊆ ∪m≤ploy(|i|){0, 1}m. Without loss of generality, Di ⊆{0, 1}ploy(|i|)
3. Efficient evaluation: For every n ∈ N, i ∈ In and x ∈ Di, Pr[F (i, x) =fi(x)] > 1− 2−n.
4. Hard to invert: Let In be a random variable describing of the firstelement in the output of I(1n), and Xn = D(In).The uniform-complexity: For every probabilistic polynomial-timealgorithm A′, every positive polynomial p(cdot) and all sufficientlylarge n′s,
Pr[A′(In, fIn(Xn)) = Xn] <1
p(n)
14
The nonuniform-complexity: For every probabilistic polynomial-time circuits {Cn}n∈N , every positive polynomial p(·) and all suffi-ciently large n′s,
Pr[Cn(In, fIn(Xn)) = Xn] <1
p(n)
5. Inverting with trapdoor: For every n ∈ N , any pair (i, t) in the rangeof I(1n) such that i ∈ In and every x ∈ Di,
Pr[F−1(t, fi(x)) = x] > 1− 2−n
• Claw-Free Collections: A collection of claw-free collections consists ofan infinite set of indices, denoted I, two finite sets D0
i and D1i for each
i ∈ I, and two functions f0i and f1
i defined over D0i and D1
i , respec-tively. Such a collection is called claw-free if there exist three proba-bilistic polynomial-time algorithms I,D and F such that the followingconditions hold:
1. Easy to sample and compute: The random variable I(1n) is assignedvalues in the set I∩{0, 1}n. For each i ∈ I and σ ∈ {0, 1}, the randomvariable D(σ, i) is distributed over Dσ
i , and F (σ, i, x) = fσi (x) for
each x ∈ Dσi .
2. Identical range distribution: For every i in the index set I, the ran-dom variable f0
i (D(0, i)) and f1i (D(1, i)) are identically distributed.
3. Hard to form claws: A pair (x, y) satisfying f0i (x) = f1
i (y) is calleda claw for index i. Let Ci denote the set of claws for index i. It isrequired that for every probabilistic polynomial-time algorithm A′ ,every positive polynomial p(·) and all sufficiently large n’s,
Pr[A′(In) ∈ CIn ] <1
p(n)
where In is a random variable describing the output distribution ofalgorithm I on input 1n.
2.3 Hard-Core Predicates
• Hard-Core Predicate: A polynomial-time computable predicate b :{0, 1}∗ → {0, 1} is called a hard-core of a function f if for every proba-bilistic polynomial-time algorithm A′ , every positive polynomial p(·), andall sufficiently large n’s
Pr[A′(f(Un)) = b(Un)] <12
+1
p(n)
15
• Every strong one-way function has hard-core predicate. Let f bean arbitrary strong one-way function, and let g be defined by g(x, r) =(f(x), r), where |x| = |r|. Let b(x, r) denote the inner product mod 2 ofthe binary vectors x and r. Then the predicate b is a hard-core of thefunction g.
• Define εn = Pr[G(f(Xn), Rn) = b(Xn, Rn)]− 12 . Then
1. There exists a set Sn ⊆ {0, 1}n of cardinality at least εn
2 · 2n suchthat for every x ∈ Sn, it holds that
s(x) = Pr[G(f(x), Rn) = b(x,Rn)] ≥ 12
+εn
2
2. Let G be a probabilistic algorithm with running time tG : N → Nand advantage εn : N → [0, 1] in guessing b. The there exists analgorithm A that runs in time O(n2/εG(n)2) · tG(n) such that
Pr[A(f(Un)) = Un] ≥ εn
2· εG(n)2
4n
• Hard-Core Function: Let h : {0, 1}∗ → {0, 1}∗ be a polynomial-time-computable function satisfying |h(x)| = |h(y)| for all |x| = |y|, and letl(n) = |h(1n|. The function h is called a hard-core of a function f if forevery probabilistic polynomial-time algorithm D′, every positive polyno-mial p(·), and all sufficiently large n’s,
|Pr[D′(f(Xn), h(Xn)) = 1]− Pr[D′(f(Xn), Rl(n)) = 1]| < 1p(n)
where Xn and Rl(n) are two independent random variables, the first uni-formly distributed over {0, 1}n and the second uniformly distributed over{0, 1}l(n).
• Let f be an arbitrary strong one-way function, and let g2 be defined byg2(x, s) = (f(x), s), where |s| = 2|x|. Let bi(x, s) denote the inner productmod 2 of the binary vectors x and (si+1, . . . , si+n), where s = (s1, . . . , s2n).Then, for any constant c > 0, the function h(x, s) = b1(x, s) · · · bl(|x|)(x, s)is a hard-core of the function g2, where l(n) = min{n, dclog2ne}.
2.4 One-Way Predicates
• One-Way Predicate: A one-way predicate is a polynomial-time booleanfunction B : {0, 1}∗ → {0, 1} for which
1. Sampling is possible: There exists a probabilistic polynomial-timealgorithm D that on input v ∈ {0, 1} and 1n, selects a random x(D(v, 1n) = x) such that B(x) = v and |x| ≤ n.
16
2. Guessing is hard: For every probabilistic polynomial-time algo-rithm A′ , every positive polynomial p(·), and all sufficiently largen’s
Pr[A′(Xn) = B(Xn)] <12
+1
p(n)
• Trapdoor Predicate: A one-way predicate is a polynomial-time booleanfunction B : {0, 1}∗ → {0, 1} for which
1. Sampling is possible: There exists a probabilistic polynomial-timealgorithm D that on input v ∈ {0, 1} and 1n, selects a random x(D(v, 1n) = x) such that B(x) = v and |x| ≤ n.
2. Guessing is hard: For every probabilistic polynomial-time algo-rithm A′ , every positive polynomial p(·), and all sufficiently largen’s
Pr[A′(Xn) = B(Xn)] <12
+1
p(n)
3. Computing with trapdoor: There exists a polynomial-time algo-rithm N with the trapdoor tn, N(t,Xn) = B(Xn).
• Collection of One-Way Predicate: Let I be a set of indices and fori ∈ I let Di be finite. A collection of one-way predicates is a set B ={Bi : Di → {0, 1}}i∈I satisfying the following conditions. Let Dv
i = {x ∈Di, Bi(x) = v}. The following conditions hold:
1. There exists a probabilistic polynomial time algorithm I which oninput 1n finds i ∈ I ∩ {0, 1}n.
2. There exists a probabilistic polynomial time algorithm D which oninput i ∈ I and v ∈ {0, 1} finds x ∈ Di such that Bi(x) = v.
3. For every probabilistic polynomial time algorithm A, any polynomialp(·) and all sufficiently large n’s
Pr[z = v : iR←− I∩{0, 1}n; v
R←− {0, 1}; xR←− Dv
i ; zR←− A(i, x)] <
12+
1p(n)
• Collection of Trapdoor Predicate: Let I be a set of indices and fori ∈ I let Di be finite. A collection of one-way predicates is a set B ={Bi : Di → {0, 1}}i∈I satisfying the following conditions. Let Dv
i = {x ∈Di, Bi(x) = v}. The following conditions hold:
1. There exist a polynomial p(·) and a probabilistic polynomial timealgorithm I which on input 1n finds (i, ti) where i ∈ I ∩ {0, 1}n and|ti| < p(n). The information ti is referred to as the trapdoor of i.
2. There exists a probabilistic polynomial time algorithm D which oninput i ∈ I and v ∈ {0, 1} finds x ∈ Di such that Bi(x) = v.
3. There exists a probabilistic polynomial time algorithm B′ such thatfor i ∈ I, trapdoor ti, and x ∈ Di, B′(i, ti, x) = B(x).
17
4. For every probabilistic polynomial time algorithm A, any polynomialp(·) and all sufficiently large n’s
Pr[z = v : iR←− I∩{0, 1}n; v
R←− {0, 1}; xR←− Dv
i ; zR←− A(i, x)] <
12+
1p(n)
2.5 ♣Computation Difficulty Assumptions andRelated Bit Security Problems
18
Chapter 3
Pseudorandom Generators
The randomness is crucial in the encryption systems. According to Shannon, theperfect encryption system is the one-time pad scheme (bitwise of the plaintextbit stream with the random bit stream). However in most cases it is impossibleto design a practical system to enable two principals to share a random bitstream which is as long as the plaintext stream because the plaintext lengthvaries in situations and is possibly polynomially long. Hence it is important insome way to generate a bit stream based on a short random seed which seemsto be random and can be used in the system to replace the random bit stream.However, how to guarantee that the modification (replacing with the pseudoran-dom bits) does not affect (deteriorate) the original system’s security propertyin the current computation model (Turing model). The question introduces acrucial notion: computational indistinguishability. If in the current computa-tion model, it is infeasible to differentiate the pseudorandom bits from the realrandom bits, then the modified system’s security does not deteriorate in face ofadversaries in the same computation model.
3.1 Computational Indistinguishability
• Probability Ensemble: Let I be a countable index set. An ensembleindexed by I is a sequence of random variables indexed by I. Namely, anyX = {Xi}i∈I , where each Xi is a random variable, is an ensemble indexedby I.
• Polynomial-Time Indistinguishability:
1. Variant for ensembles indexed by N : Two ensembles, X = {Xn}n∈N
and Y = {Yn}n∈N , are indistinguishable in polynomial time if forevery probabilistic polynomial-time algorithm D, every polynomialp(·), and all sufficiently large n’s
|Pr[D(Xn, 1n) = 1]− Pr[D(Yn, 1n)]| < 1p(n)
19
2. Variant for ensembles indexed by a set of strings S: Two ensembles,X = {Xw}w∈S and Y = {Yw}w∈S , are indistinguishable in poly-nomial time if for every probabilistic polynomial-time algorithm D,every polynomial p(·), and all sufficiently large n’s
|Pr[D(Xw, w) = 1]− Pr[D(Yw, w)]| < 1p(|w|)
The probability is taken over the corresponding random variables Xi (orYi) and the internal coin tosses of algorithm D.
• A few remarks on the definition:
1. The second input to algorithm D is used to indicate that the lengthesof Xi and Yi are polynomially related with n. If that is the case, thesecond input is redundant.
2. The definition implies that the δ = |dX(n)−dY (n)| is negligible wheredX(n) = E[d(Xn)], dY (n) = E[d(Yn)] such that d(α) denoting thatD outputs 1 on input α.
3. The definition implies that with respect to any “string statistics”that can be computed in polynomial time, the two ensembles musthave the same profile (up to negligible error).
4. However the above definition cannot guarantee that the two en-sembles are statistically close. (The statistical difference 4(n) =12
∑α |Pr[Xn = α] − Pr[Yn = α]| is negligible.) In fact, there ex-
ists an ensemble X = {Xn}n∈N such that X is not statisticallyclose to the uniform ensemble U = {Un}n∈N , and yet X and Uare polynomial-time indistinguishable. Furthermore, Xn assigns allits probability mass to at most 2n/2 strings (of length n). (The dif-ference δ < 2−n/8).
• Indistinguishability by repeated experiments:
1. Indistinguishability by repeated sampling: Two ensembles, X ={Xn}n∈N and Y = {Yn}n∈N , are indistinguishable in polynomial-time sampling if for every probabilistic polynomial-time algorithmD, every two polynomials m(·) and p(·), and all sufficiently large n’s
|Pr[D(X(1)n , . . . , X(m(n))
n ) = 1]− Pr[D(Y (1)n , . . . , Y (m(n))
n )]| < 1p(n)
where X(1)n through X
(m(n))n and Y
(1)n through Y
(m(n))n are indepen-
dent random variables, with each X(i)n identical to Xn and each Y
(i)n
identical to Yn.2. An ensemble X = {Xn}n∈N is said to be polynomial-time-constructible
if there exists a probabilistic polynomial-time algorithm S such thatfor every n, the random variables S(1n) and Xn are identically dis-tributed.
20
3. Let X = {Xn}n∈N and Y = {Yn}n∈N be two polynomial-time-constructible ensembles, and suppose that X and Y are indistin-guishable in polynomial time. Then X and Y are indistinguishableby polynomial-time sampling.
4. The proof of the above theorem uses a so called hybrid techniquewhich has the following properties: (a) extreme hybrids collide withthe complex ensembles; (b) neighboring hybrids are easily related tothe basic ensembles; (c) the number of hybrids is small (polynomial).
5. We will see that the existence of a pair of polynomial-time-constructibleensembles that are both computationally indistinguishable and havea noticeable statistical difference implies the existence of pseudoran-dom generators.
• Indistinguishability by polynomial-size circuits:
1. Variant for ensembles indexed by N : Two ensembles, X = {Xn}n∈N
and Y = {Yn}n∈N , are indistinguishable by polynomial-size circuitsif for every family {Cn}n∈N of polynomial-size circuits, every poly-nomial p(·), and all sufficiently large n’s
|Pr[Cn(Xn) = 1]− Pr[Cn(Yn)]| < 1p(n)
2. Variant for ensembles indexed by a set of strings S: Two ensem-bles, X = {Xw}w∈S and Y = {Yw}w∈S , are indistinguishable bypolynomial-size circuits if for every family {Cn}n∈N of polynomial-size circuits, every polynomial p(·), and all sufficiently large n’s
|Pr[C|w|(X|w|) = 1]− Pr[C|w|(Y|w|)]| <1
p(|w|)3. Variant for ensembles indexed by a set of strings S: Two ensem-
bles, X = {Xw}w∈S and Y = {Yw}w∈S , are indistinguishable bypolynomial-size circuits if for every polynomial s(·), every family{Cw}w∈S of circuits such that Cw has size at most s(|w|), everypolynomial p(·), and all sufficiently large n’s
|Pr[C|w|(X|w|) = 1]− Pr[C|w|(Y|w|)]| <1
p(|w|)• Pseudorandom Ensembles: The ensemble X = {Xn}n∈N is called
pseudorandom if there exists a uniform ensemble U = {Ul(n)}n∈N suchthat X and U indistinguishable in polynomial time. (|Xn| = l(n)).
3.2 Pseudorandom Generators
• A pseudorandom generator is a deterministic polynomial-time algo-rithm G satisfying the following two conditions:
21
1. Expansion: There exists a function l : N → N such that l(n) > n forall n ∈ N and |G(s)| = l(|s|) for all s ∈ {0, 1}∗.
2. Pseudorandomness: The ensemble {G(Un)}n∈N is pseudorandom.
• Expansion. Let G1 be a deterministic polynomial-time algorithm map-ping strings of length n into strings of length n + 1, and let p(·) be apolynomial. Define G(s) = σ1 · · ·σp(|s|), where s0 = s, the bit σj is thefirst bit of G1(sj−1), and sj is the |s|-bit-long suffix of G1(sj−1) for every1 ≤ j ≤ p(|s|). That is, on input s, algorithm G proceeds as follows:
Let s0 = s and n = |s|.For j = 1 to p(n), do
σjsj = G1(sj−1), where σj ∈ {0, 1} and |sj | = |sj−1|.Output σ1σ2 . . . σp(|s|).
– Pseudorandomness. If G1 is a pseudorandom generator, then sois G.
• A variable-output pseudorandom generator is a deterministic polynomial-time algorithm G satisfying the following two conditions:
1. Expansion: For all s ∈ {0, 1}∗ and t ∈ N , it holds that |G(s, 1t)| = tand G(s, 1t) is a prefix of G(s, 1t+1).
2. Pseudorandomness: For every polynomial p, the ensemble {G(Un, 1p(n))}n∈N
is pseudorandom.
– If pseudorandom generators exist, then there exists a variable-outputpseudorandom generator.
• Unpredictability. An ensemble X = {Xn}n∈N is called unpredictablein polynomial time if for every probabilistic polynomial-time algorithm Aand every polynomial p(·), and all sufficiently large n’s,
Pr[A(1|Xn|, Xn) = nextA(Xn)] <12
+1
p(n)
where nextA(x) returns i+1 bit of x if on input (1|x|, x) algorithm A readsonly i < |x| of the bits of x, and returns a uniformly chosen bit otherwise.
– Unpredictability and Pseudorandom. An ensemble X = {Xn}n∈N
is pseudorandom if and only if it is unpredictable in polynomial time.
• The existence of pseudorandom generators implies the existenceof one-way functions. Let G be a pseudorandom generator with expan-sion factor l(n) = 2n. Then the function f : {0, 1}∗ → {0, 1}∗ defined byletting f(x, y) = G(x), for every |x| = |y| is a strongly one-way function.
22
3.3 Pseudorandom Generator Constructor
• Constructions based on one-way permutations.
1. Expansion l(n) = n+1. Let f be a length-preserving 1−1 (stronglyone-way) function, and let b be a hard-core predicate for f . Thenthe algorithm G, defined by G(s) = f(s) · b(s), is a pseudorandomgenerator.
2. Expansion l(n) = p(n). Let f : {0, 1}∗ → {0, 1}∗ be a 1 − 1length-preserving and polynomial-time-computable function. Let b :{0, 1}∗ → {0, 1} be a polynomial-time-computable predicate, and letp(·) be a polynomial satisfying p(n) > n. Define G(s) = σ1 · · ·σp(n),where s0 = s and for every 1 ≤ j ≤ p(n), it holds that σj = b(sj−1)and sj = f(sj−1). That is,
Let s0 = s and n = |s|.For j = 1 to p(n), doσj = b(sj−1), and sj = f(sj−1).Output σ1σ2 . . . σp(n).
3. Pseudorandomness. If b is a hard-core predicate of f , then G is apseudorandom generator.
• Constructions based on collections of one-way permutations. Let(I, D, F ) be a triplet of algorithms defining a collection of one-way per-mutations, and let B be a hard-core predicate for this collection. Letp(·) be an arbitrary polynomial. For n ∈ N and r, s ∈ {0, 1}q(n), de-fine G(r, s) = σ1 · · ·σp(n), where i = I(1n, r), s0 = D(i, s) and for every1 ≤ j ≤ p(|s|), it holds that σj = B(i, sj) and sj = fi(sj−1). That is,on input a seed (r, s) ∈ {0, 1}q(n) × {0, 1}q(n), algorithm G operates asfollows, where F (i, x) = fi(x):
Let i = I(1n, r) and s0 = D(i, s).
For j = 1 to p(n), do
σj = B(i, sj−1), and si = F (j, sj−1).
Output σ1σ2 . . . σp(n).
1. Pseudorandomness. Suppose that p(n) > 2q(n) for all n’s, andfor every i in the range of algorithm I, the random variable D(i) isuniformly distributed over the set Di. Then G is a pseudorandomgenerator.
2. Pseudorandomness. Let n and t be integers. For every i in therange of I(1n) and every x in Di, define Gt
i = B(i, x)·B(i, fi(x)) · · ·B(i, f t−1i (x))
where f0i (x) = x and f j+1
i = f ji (fi(x)) for any j ≥ 0. Let (I, D, F )
23
and B be as in the above theorem, with In a random variable rep-resenting I(1n) and Xn = D(In) a random variable uniformly dis-tributed in DIn
. Then for every polynomial p(·), the ensemble
{(In, Gp(n)In
(Xn), fp(n)In
(Xn))}n∈N and {(In, Up(n)(Xn), fp(n)In
(Xn))}n∈N
are polynomial-time-indistinguishable.
3. A few remarks: (a) The above theorem implies that even given twoextra inputs index i and the last domain element f
p(n)i (Xn) computed
by G, it is still infeasible to distinguish Gp(n)In
(Xn) = G(U2q(n)) fromUp(n). (b) The requirement on Di can be relaxed to require that D(i)is statistically close to the uniform distribution over Di.
4. Concrete Constructions.
(a) Discrete Logarithm.(b) RSA.(c) Factoring Blum Integers.
• Constructions based on hard-core functions. Let (I,D, F ) be atriplet of algorithms defining a collection of one-way permutations, andlet H be a hard-core function for this collection. Let p(·) be an arbitrarypolynomial. For n ∈ N and r, s ∈ {0, 1}q(n), define G(r, s) = α1 · · ·αp(n),where i = I(1n, r), s0 = D(i, s) and for every 1 ≤ j ≤ p(|s|), it holds thatαj = H(i, sj) and sj = fi(sj−1).
– Pseudorandomness. Suppose that p(n) · lH(n) > 2q(n) for all n’s.and for every i in the range of algorithm I, the random variable D(i)is uniformly distributed over the set Di. Then G is a pseudorandomgenerator.
• Constructions based on 1-1 one-way functions (not necessar-ily length-preserving). As the one-way is longer necessarily length-preserving, we need to find some way to convert the one-way functionto length-preserving and 1-1 function and at the same time keeping theone-way property. One method is to use the following hash functions.
– Hashing Functions. Let Smn be a set of strings representing func-
tions mapping n-bit strings to m-bit strings. Assume that Smn =
{0, 1}l(n,n) for some function l. We call Smn a hashing family if it
satisfies the following three conditions:
1. Smn is a pairwise-independent family of mappings: For every
x 6= y ∈ {0, 1}n, the random variables Hmn (x) and Hm
n (y) areindependent and uniformly distributed in {0, 1}m.
2. Smn has succinct representation: Sm
n = {0, 1}ploy(n,m).3. Sm
n can be efficiently evaluated: There exists a polynomial-timealgorithm that on input a representation of a function h (in Sm
n )and a string x ∈ {0, 1}n returns h(x).
24
– More on hash functions.
1. Concrete Examples. The commonly used hash functions in-clude Sm
n = hA,b where A is a n-by-m binary matrix and bm isa m-dimensional binary vector. hA,b(x) = xA + b where x is them-dimensional binary vector. A can also be a Toeplitz matrixT = {ti,j} where ti,j = ti+1,j+1 for all i, j. Toeplitz matriceshave succinct representation.
2. Properties. Let m < n be integers, Smn be a hashing family,
and b and δ be two reals such that m ≤ b ≤ n and δ ≥ 2−b−m
2 .Suppose that Xn is a random variable distributed over {0, 1}n
such that for every x, it holds that Pr[Xn = x] ≤ 2−b. Then forevery α ∈ {0, 1}m and for all but at most a 2−(b−m)δ−2 fractionof the h’s in Sm
n , it holds that Pr[h(Xn) = α] ∈ (1± δ)2−m.
– Constructing Pseudorandom Generators. Let f : {0, 1}∗ →{0, 1}∗ be a function satisfying |f(x)| = p(|x|) for some polyno-mial p(·) and all x’s. For any integer function l : N → N , bea hashing family. For every x ∈ {0, 1}n and h ∈ S
n−l(n)p(n) , define
G(x, h) = (h(f(x)), h, g(x)). (This construction implies that func-tion g is length-regular.)
– Pseudorandomness. Suppose that f is 1-1 and that g is the hard-core function of f . Then for every probabilistic polynomial-time al-gorithm A, every positive polynomial p(·), and all sufficiently largen’s
|Pr[A(G(Un, Uk)) = 1]− Pr[A(Un+k+1) = 1]| < 2 · 2− l(n)3 +
1p(n)
where k is the length of the representation of the hashing functionsin S
n−l(n)p(n) . (Note that even we set l(n) = 3log2p(n), the construction
is still not a psuedorandom generator.)
• Relationship between one-way functions and pseudorandom gen-erators.
1. If there exist 1-1 one-way functions, then pseudorandom generatorsexist as well.
2. If there exist regular one-way functions, then pseudorandom genera-tors exist as well.
3. If there exist one-way functions, then pseudorandom generators existas well.
3.4 Pseudorandom Functions
• Function Ensembles Let l : N → N (e.g. l(n) = n). An l-bit func-tion ensemble is a sequence F = {Fn}n∈N of random variables such that
25
the random variable Fn assumes values in the set of functions mappingl(n)-bit-long strings to l(n)-bit-long strings. The uniform l-bit functionensemble, denoted H = {Hn}n∈N , has Hn uniformly distributed over theset of all functions mapping l(n)-bit-long strings to l(n)-bit-long strings.
• Psudorandom Function Ensembles. An l-bit function ensemble F ={Fn}n∈N is called pseudorandom if for every probabilistic polynomial-timeoracle machine M , every polynomial p(·), all sufficiently large n’s
|Pr[MFn(1n) = 1]− Pr[MHn(1n) = 1]| < 1p(n)
where H = {Hn}n∈N is the uniform l-bit function ensemble.
• A few remarks on the definition.
1. The cardinality of H is 2l(n)2l(n). There is no polynomial-time (in n
or l(n)) algorithm to represent all the functions in the set. Hence thecardinality of a polynomial-time representable (there is a polynomial-time (in n) to represent all the functions in the set F ) set F is farsmaller than H. Here, “representation” means evaluation of the func-tion values on inputs, instead of enumeration. Hence it is possibleto represent exponential-number functions. For example there are2l(n) functions mapping any l(n)-bit string to a single l(n)-bit string.These 2l(n) functions can be represented (evaluated) in polynomial-time. This concept is formalized by the following definition.
2. Efficiently Computable Function Ensembles. An l-bit func-tion ensemble F = {Fn}n∈N is called efficiently computable if thefollowing two condition hold:
(a) Efficient indexing: There exists a probabilistic polynomial-time algorithm I and a mapping from strings to functions, φ,such that φ(I(1n)) and Fn are identically distributed. Denotethe function assigned to the string i by fi (i.e. fi = φ(i)).
(b) Efficient evaluation: There exists a polynomial-time algorithmV such that V (i, x) = fi(x) for every i in the range of I(1n) andx ∈ {0, 1}l(n).
• Efficiently Computable Psuedorandom Function Ensembles: Anefficiently computable pseudorandom function ensemble is a set of finitefunctions {fs : {0, 1}l(|s|) → {0, 1}l(|s|)}s∈{0,1}∗ where l : N → N and thefollowing two conditions hold:
1. Efficient evaluation: There exists a polynomial-time algorithm thaton input s and x ∈ {0, 1}l(|s|) returns fs(x).
2. Pseudorandomness: The function ensemble F = {Fn}n∈N , definedso that Fn is uniformly distributed over the multi-set {fs}s∈{0,1}n , ispseudorandom.
26
– Construction. Let G be a deterministic algorithm that expandsinputs of length n into strings of length 2n. We denote by G0(s) the|s|-bit-long prefix of G(s), and by G1(s) the |s|-bit-long suffix of G(s)(i.e. G(s) = G0(s)G1(s)). For every s ∈ {0, 1}n, we define functionfs : {0, 1}n → {0, 1}n such that for every σ1, . . . , σn ∈ {0, 1},
fs(σ1, σ2, . . . , σn) = Gσn(· · · (Gσ2(Gσ1(s)))) . . .)
That is, on input s and x = σ1σ2 · · ·σn, the value fs(x) is computedas follows:
Let y = s.For j = 1 to n, doy = Gσj(y).Output y.
Let Fn be a random variable defined by uniformly selecting s ∈{0, 1}n ans setting Fn = fs. Finally, let F = {Fn}n∈N be our func-tion ensemble.
– Pseudorandomness. Suppose that G is a pseudorandom genera-tor, then F is an efficiently computable ensemble of pseudorandomfunctions.
• Relationships between pseudorandom functions, pseudorandomgenerators and one-way functions.
1. If there exist one-way functions, then pseudorandom functions existas well.
2. Pseudorandom functions (for super-logarithmic l) exist if and only ifpseudorandom generators exist.
• Length-unpreserving pseudorandom functions.
– Definition. Let d, r : N → N . We say that {fs : {0, 1}d(|s|) →{0, 1}r(|s|)}s∈{0,1}∗ is an efficiently computable generalized pseudo-random function ensemble if the following two conditions hold:
1. Efficient evaluation: There exists a polynomial-time algorithmthat on input s and x ∈ {0, 1}d(|s|) returns fs(x).
2. Pseudoranomness: For every probabilistic polynomial-time ora-cle machine M , every polynomial p(·), all sufficiently large n’s
|Pr[MFn(1n) = 1]− Pr[MHn(1n) = 1]| < 1p(n)
where Fn is a random variable uniformly distributed over themulti-set {fs}s∈{0,1}n , and Hn is uniformly distributed among allfunctions mapping d(n)-bit-long strings to r(n)-bit-long strings.
27
– Construction. For G,G0 and G1 in the efficiently computable pseu-dorandom function construction. Let d, r : N → N , and let G′ be adeterministic algorithm mapping n-bit-long inputs into r(n)-bit out-puts. For every s ∈ {0, 1}n, we define function fs : {0, 1}d(|s|) →{0, 1}r(|s|) such that for every σ1, . . . , σd(n) ∈ {0, 1},
fs(σ1, σ2, . . . , σd(n)) = G′(Gσd(n)(· · · (Gσ2(Gσ1(s)))) . . .))
• Unbounded-input pseudorandom functions.
– Definition. Let r : N → N . We say that {fs : {0, 1}∗ → {0, 1}r(|s|)}s∈{0,1}∗is an efficiently computable unbounded-input pseudorandom functionensemble if the following two conditions hold:1. Efficient evaluation: There exists a polynomial-time algorithm
that on input s and x ∈ {0, 1}∗ returns fs(x).2. Pseudoranomness: For every probabilistic polynomial-time ora-
cle machine M , every polynomial p(·), all sufficiently large n’s
|Pr[MFn(1n) = 1]− Pr[MHn(1n) = 1]| < 1p(n)
where Fn is a random variable uniformly distributed over themulti-set {fs}s∈{0,1}n , and Hn is uniformly distributed among allfunctions mapping arbitrary long strings to r(n)-bit-long strings.
– Construction. Let G be a deterministic algorithm that expandsinputs of length n into strings of length 2n + r(n). We denote byG0(s) the |s|-bit-long prefix of G(s), by G1(s) the next |s| bits inG(s), and by G2(s) the r(|s|)-bit-long suffix of G(s) (i.e. G(s) =G0(s)G1(s)G2(s)). For every s ∈ {0, 1}n, we define function fs :{0, 1}∗ → {0, 1}r(n) such that for every non-negative integer d andevery σ1, . . . , σd ∈ {0, 1},
fs(σ1, σ2, . . . , σd) = G2(Gσd(· · · (Gσ2(Gσ1(s)))) . . .))
3.5 Psuedorandom Permutations
• Permutation Ensembles A permutation ensemble is a sequence P ={Pn}n∈N of random variables such that the random variable Pn assumesvalues in the set of permutations mapping n-bit-long strings to n-bit-longstrings. The uniform permutation ensemble, denoted K = {Kn}n∈N , hasKn uniformly distributed over the set of all permutations mapping n-bit-long strings to n-bit-long strings.
• Psudorandom Permutation Ensembles. A permutation ensembleP = {Fn}n∈N is called pseudorandom if for every probabilistic polynomial-time oracle machine M , every polynomial p(·), all sufficiently large n’s
|Pr[MPn(1n) = 1]− Pr[MKn(1n) = 1]| < 1p(n)
28
where K = {Kn}n∈N is the uniform permutation ensemble.
• A few remarks on the definition.
1. The uniform permutation ensemble (i.e. K = {Kn}n∈N ) constitutea pseudorandom function ensemble.
2. The cardinality of K is 2n!. There is no polynomial-time (in n) algo-rithm to represent all the functions in the set. Hence the cardinalityof a polynomial-time representable (there is a polynomial-time (inn) to represent all the functions in the set P ) set P is far smallerthan K. Here, “representation” means evaluation of the functionvalues on inputs, instead of enumeration. Hence it is possible to rep-resent exponential-number functions. This concept is formalized bythe following definition.
3. Efficiently Computable and Invertible Permutation Ensem-bles. A permutation ensemble P = {Pn}n∈N is called efficientlycomputable and invertible if the following three condition hold:
(a) Efficient indexing: There exists a probabilistic polynomial-time algorithm I and a mapping from strings to functions, φ,such that φ(I(1n)) and Pn are identically distributed. Denotethe function assigned to the string i by fi (i.e. fi = φ(i)).
(b) Efficient evaluation: There exists a polynomial-time algorithmV such that V (i, x) = fi(x) for every i in the range of I(1n) andx ∈ {0, 1}l(n).
(c) Efficient inversion: here exists a polynomial-time algorithmN such that N(i, x) = f−1
i (x) (i.e. fi(N(i, x)) = x).
• Strong Psuedorandom Permutation Ensembles: A permutation en-semble P = {Fn}n∈N is called strongly pseudorandom if for every prob-abilistic polynomial-time oracle machine M , every polynomial p(·), allsufficiently large n’s
|Pr[MPn,P−1n (1n) = 1]− Pr[MKn,K−1
n (1n) = 1]| < 1p(n)
where Mf,g denotes the execution of machine M when given access to theoracles f and g.
– Construction. Let f : {0, 1}n → {0, 1}n. For every x, y ∈ {0, 1}n,we define
DESf (x, y) = (y, x⊕ f(y))
Likewise, for f1, . . . , ft : {0, 1}n → {0, 1}n, we define
DESft,...,f1(x, y) = Dft,...,f2(Df1(x, y))
29
– Pseudoranomness and Permutation. Let Dt(n)Fn
= DESF
t(n)n ···F 1
n,
where t(n) is a polynomial-time-computable function. Then {DESt(n)Fn
}n∈N
is an efficiently computable and invertible permutation ensemble.Furthermore, if F = {Fn}n∈N is a pseudorandom function ensemble,then the ensemble {DES3
Fn}n∈N is psuedorandom and the ensemble
{DES4Fn} is strongly pseudorandom.
– Inversion. DESzero,f,zero is the inverse of DESf , where zero(z) =0|z| for all z ∈ {0, 1}n.
3.6 Two Different Views on Using Pseudoran-dom Functions
Pseudorandom functions provide us a fundamental tool to build security schemes.There are two different methods to interpret pseudorandom functions in the lit-erature.
• Standard Methodology.
1. Design a scheme assuming that all legitimate users share a randomfunction, f : {0, 1}n → {0, 1}n. The adversaries may be able toobtain, from the legitimate users, the values of f on arguments oftheir choice, but will not (cannot) have direct access to f itself.
2. Construct a real scheme by replacing the random function by a pseu-dorandom function. Namely, the legitimate users will share a ran-dom/secret seed specifying such a pseudorandom function. This im-plies that the adversary doesn’t know the description of the pseudo-random function. Conclude that the real scheme is secure.
• Random Oracle Methodology
1. Design a scheme assuming that all parties (including the adversary)share a truly random function. The truly random function is inter-preted as a program g with an initially empty vector v:
Input: xOuput: g(x)If x is in the vector v (v[x] is not empty),then
return v[x];else
beginv[x]=coin tosses;return v[x];
end
30
2. Construct a real scheme by replacing the random function by a “goodcryptographic hashing function”, providing all parties (including theadversary) the succinct description of this function. This is differentfrom the standard methodology.
• A few remarks on the random oracle model.
1. Using the random oracle model, we can design very succinct crypto-graphic schemes. However the random oracle model can only provideheuristical evaluation of security of the designed scheme. “Not onlydo there exist idealized protocols that have no secure implementa-tions, practically any idealized protocol can be slightly “tweaked”so that the tweaked protocol remains just as secure in the idealizedmodel, but has no secure implementations.” “Assume that an ideal-ized protocol A is proven secure in the Random Oracle Model basedon, say, the Diffie-Hellman assumption, and that someone comes upwith a way to break any implementation of A. This does not neces-sarily mean that it is now possible to break Diffie-Hellman.” [5]
2. The psuedorandomness of a function can be evaluation in anotherway. The cleverest adversary can only obtain reasonable advantageto differentiate the function from a real random function.Formal description:(two worlds scenario)
World 0: The function g is drawn at random from the randomensemble RandD→R, namely g
R←− RandD→R. D = {0, 1}L, R ={0, 1}l.World 1: The function g is drawn at random from the functionensemble F , namely g
R←− F . (Namely, randomly select K (theindex of function g) from Keys (the index ensemble of F ) andset g as FK)Distinguisher: An algorithm Ag has the oracle access of func-tion g and returns one bit indicating to which world g belongs.Two experiments:
Expprf−1F,A : K
R←− Keys(F ); g ← FK ; b ← Ag; return b.
Expprf−0F,A : g ← RandD→R; b ← Ag; return b.
Define the advantage of the adversary A to different the two worldas
AdvprfF,A = Pr[Expprf−1
F,A = 1]− Pr[Expprf−0F,A = 1]
Probability is taken over the random choice of g (i.e. the randomchoice of K in experiment 1 or the random choice of g in experiment2) and random choices that A makes.The pseudorandomness of the function ensemble F , can be evaluatedby Advprf
F (t, q, u) = maxA{AdvprfF,A}; where t is the maximum of the
running time of two experiments plus A’s code size, q is the query
31
times, and u is the bit length of q queries. The definition describesthe cleverest adversary’s advantage of winning the game. If applyingthis definition to the infinite sequence of function ensemble {Fn}∈N ,we can get a definition essential same as the one in Section 3.4.
32
Chapter 4
Zero-Knowledge Systems
4.1 About Knowledge and Its Proof
• Knowledge vs Information. 1) Knowledge is related to computationaldifficulty, whereas information is not. 2) Knowledge relates mainly topublicly known objects, whereas information relates mainly to objects onwhich only partial information is publicly known.
• In the proof system, there is a prover which provides the proof and averifier which verifies the proof. It is required that a verifier can effectively(in polynomial-time) verify the given proof. On the other hand, maybeit is difficult for the prover to construct the proof of an assertion. (Thisimplies that NP is not contained in BPP ).
• Basic requirements of a knowledge proof
1. Soundness. The verification procedure cannot be tricked into ac-cepting false statements
2. Completeness. Some prover has the ability to convince the veri-fier of true statements belonging to some predetermined set of truestatements.
• Zero-knowledge proofs are proofs that yield nothing beyond the validityof the assertion. (In fact, this intuitive definition does not reflect the factin many cases, e.g., zero-knowledge proof of knowledge which yields morethan the validity of the assertion.)
4.2 Interactive Proof Systems
• An Interactive Turing Machine (ITM).
33
– An interactive Turing machine (ITM), is a (deterministic) multi-tape Turing machine. The tapes are a read-only input tape, a read-only random tape, a read-and-write work tape, a write-only outputtape, a pair of communication tapes, and a read-and-write switchtape consisting of a single cell. One communication tape is read-only, and the other is write-only.
– Each ITM is associate a single bit σ ∈ {0, 1}, called its identity. AnITM is said to be active, in a configuration, if the content of its switchtape equals the machine’s identity. Otherwise the machine is said tobe idle. While being idle, the sate of the machine, the locations ofits heads on various tapes, and the contents of the writable tapes ofthe ITM are not modified.
– The content of the input tape is called input. The content of therandom tape is called random input, and the content of the outputtape at termination is called (local) output. The content written onthe write-only communication tape during a (time) period is calledthe message sent at that period. Likewise, the content read fromthe read-only communication tape during an active period is calledthe message received (at that period).
• Joint Computation of Two ITMs.
– Two interactive machines are said to be linked if they have opposi-tive identities, their input tapes coincide, their switch tapes coincide,and the read-only communication tape of one machine coincides withthe write-only communication tape of the other machine, and viceversa. We stress that the other tapes of both machines (i.e. therandom tape, the work tape, and the output tape) are distinct.
– The joint computation of a linked pair of ITMs, on a commoninput x, is a sequence of pairs representing the local configurationsof both machines. That is, each pair consists of two strings, eachrepresenting the local configuration of one of the machines. In eachsuch pair of local configurations, one machine (not necessarily thesame one) is active, while the other machine is idle. The first pairin the sequence consists of initial configurations corresponding to thecommon input x, with the content of the switch tape set to zero.
– If one machine halts while the switch tape still holds its identity,then we say that both machines have halted. The outputs of bothmachines are determined at that time.
• Remarks. This model doesn’t allow the ITMs to have individual pri-vate input. However, the model can be augmented with auxiliary inputs.〈A, B〉(x) denotes the random variable representing the (local) output ofB when interacting with A on common input x when the random inputto each machine is uniformly and independently chosen.
34
• The Complexity of an ITM. We say that an interactive machine Ahas time-complexity t : N → N if for every interactive machine B andevery string x, it holds that when interacting with machine B, on commoninput x, machine A always (i.e. regardless of the content of its randomtape and B’s random tape) halts within t(|x|) steps. In particular, we saythat A is polynomial-time if there exists a polynomial p such that A hastime-complexity p.
• Interactive Proof System. (Given an assertion, for a pair of interactivemachines, the prover and the verifier, the prover shows the proof of thevalidity of the assertion to the verifier. Obviously, there exists a knowledgegap (or computation ability gap) between the prover and the verifier.Otherwise, the verifier can prove the assertion without interacting withthe prover.) A pair of interactive machines (P, V ) is called an interactiveproof system for a language L if machine V is polynomial-time and thefollowing two conditions hold:
– Completeness: For every x ∈ L, Pr[〈P, V 〉(x) = 1] ≥ 23 .
– Soundness: For every x /∈ L and every interactive machine B,Pr[〈B, V 〉(x) = 1] ≤ 1
3 .
• Remarks on The Interactive Proof System.
– The soundness condition refers to all potential provers.
– The completeness condition refers only to the prescribed prover P .
– The verifier is required to be a (probabilistic) polynomial-time ma-chine, but no resource bounds are placed on the prover. Differentcomputation constraints on P and V introduce different proof sys-tems: (a) (P, V ) are a pair of strictly polynomial-time machines. (b)(P, V ) are a pair of machines with expected polynomial-time andstrictly polynomial-time, respectively. (c) (P, V ) are a pair of ma-chines with strictly polynomial-time and expected polynomial-time,respectively. (d) (P, V ) are a pair of expected polynomial-time ma-chines. (e) (P, V ) are a pair of machines such that V is strictlypolynomial-time. (f) (P, V ) are a pair of machines such that V is ex-pected polynomial-time. The first four cases consider that the proverP has an extra knowledge input which introduce the computationalsound proof notion (it is infeasible for P to fool V ). In the lasttwo cases, there is not computation ability restriction on P whichintroduce the perfect sound proof notion (it is impossible for Pto fool V ).
– The error probability can be made exponentially small by multi timesrunning the proof system.
– Only languages in NP have interactive proof systems in which bothparties are deterministic. In fact, NP can be viewed as a class ofinteractive proof systems in which the interaction is unidirectional
35
(from the prover to the verifier with the witness y of the string x inthe language) and the verifier is deterministic (and never errs). (Theprover shows the witness of the assertion which is an instance of anNP language.)
• Generalized Interactive Proof. Let c, s : N → R be functions sat-isfying c(n) > s(n) + 1
p(n) for some polynomial p(·). An interactive pair(P, V ) is called (generalized) interactive proof system for the language L,with completeness bound c(·) and soundness bound s(·), if
– Completeness: For every x ∈ L, Pr[〈P, V 〉(x) = 1] ≥ c(|x|).– Soundness: For every x /∈ L and every interactive machine B,
Pr[〈B, V 〉(x) = 1] ≤ s(|x|).The function g(·) defined as g(n) = c(n)− s(n) is called the acceptancegap of (P, V ) (which should be noticeable), and the function e(·), de-fined as e(n) = max{1 − c(n), s(n)}, is called the error probability of(P, V ). In particular, s is the soundness error or (P, V ), and 1− c is itscompleteness error. The following three definitions are equivalent.
1. L ∈ IP . Namely, there exists an interactive proof system with com-pleteness bound 2
3 and soundness bound 13 , for the language L.
2. L has every strong interactive proof systems: For every polynomialp(·), there exists an interactive proof system for the language L, witherror probability bound above by 2−p(n) (i.e e(n) < 2−p(n)).
3. L has a very weak interactive proof: There exists a polynomialp(·) and a generalized interactive proof system for the language L,with acceptance gap bounded below by 1/p(·) (i.e. g(n) > 1/p(n)).Furthermore, completeness and soundness bounds for this system,namely, the values c(n) and s(n), can be computed in time polyno-mial in n.
• An Example: Graph Non-Isomorphism in IP.
– Common input: A pair of graphs G1 = (V1, E1) and G2 = (V2, E2).
– Verifier’s first step (V 1): The verifier uniformly chooses σ ∈ {1, 2}and a random permutation π from the set of permutations over thevertex set Vσ. The verifier constructs an isomorphic copy of Vσ:(Vσ, F ) where F = {(π(u), π(v)) : (u, v) ∈ Eσ} and sends the copyto the prover
– Prover’s first step (P 1): Upon receiving a graph G′ = (V ′, E′) fromthe verifier, the prover finds τ ∈ {1, 2} such that the graph G′ isisomorphic to the input graph Gτ . (If both τ = 1 and τ = 2 satisfythe condition, then τ is selected arbitrarily. In case no τ ∈ {1, 2}satisfying the condition, τ is set to 0.) The prover sends τ to theverifier.
36
– Verifier’s second step (V 2): If the message τ received from the proverequals σ, then the verifier outputs 1, otherwise outputs 0.
– A few remarks. (1)Obviously, there must be no efficient way todetermine if two graphs are isomorphic. (2)As the prover and theverifier share the common input, if the prover can prove the assertion(two graphs are not isomorphic), then it must has extra computationability comparing to the verifier. (3)In the system, the completenessprobability is 1 and the soundness probability is at least 1/2.
• Interactive Proof Systems with an Auxiliary-Input Tape.
1. An interactive Turing machine (ITM) with an auxiliary-input, is a (deterministic) multi-tape Turing machine. The tapesare a read-only input tape, a read-only random tape, a read-and-write work tape, a write-only output tape, a pair of communicationtapes, a read-and-write switch tape consisting of a single cell andan additional read-only tape called the auxiliary-input tape. Onecommunication tape is read-only, and the other is write-only. Thecontent of the auxiliary-input tape is called auxiliary input.
2. The complexity of such an interactive machine is still measured asfunction of the (common) input length. Namely, the interactive ma-chine A has time-complexity t : N → N if for every interactivemachine B, on common input x, machine A always (i.e. regardless ofthe content of its random tape and its auxiliary-input tape, as wellas the content of B’s tapes) halts within t(|x|) steps.
3. We denote by 〈A(y), B(z)〉(x) the random variable representing thelocal output of B when interacting with machine A on common in-put x, when the random input to each machine is uniformly andindependently chosen, and A (resp. B) has auxiliary input y (resp.z).
4. A pair of interactive machines (P, V ) is called an interactive proofsystem for a language L if machine V is polynomial-time and thefollowing two conditions hold:
– Completeness: For every x ∈ L, there exists a string y such thatfor every z ∈ {0, 1}∗ Pr[〈P (y), V (z)〉(x) = 1] ≥ 2
3 .– Soundness: For every x /∈ L, every interactive machine B, and
every y, z ∈ {0, 1}∗, Pr[〈B(y), V (z)〉(x) = 1] ≤ 13 .
5. A few remarks. (1) The prover and the verifier doesn’t share theauxiliary-input with each other. (2) The time-complexity of the ma-chine is measured only on the length of the common input x, insteadof the length of the auxiliary input, because two machines don’t sharethe auxiliary input and maybe the verifier’s auxiliary input is muchlonger than the common input. However with the definition, only at
37
most the first t(|x|) words will be read. (3) The completeness proba-bility is irrespect with the verifier’s auxiliary input z. The soundnessprobability is irrespect with both auxiliary inputs.
• The Structure of The Class IP.
1. Any interactive proof system can be transformed into a system withperfect completeness (i.e. the verifier always accepts inputs in thelanguage).
2. Any interactive proof system can be transformed into (Arthur-Merlinproof) a public-coin interactive proof system (i.e. the verifier sendsthe outcome of its coin toss to the prover and thus need not sendany other information), while preserving perfect completeness (thereis no promise to preserve the soundness probability. However thetransformed system is still an interactive proof system).
3. IP = PSPACE. coNP ⊆ PSPACE and PSPACE is closed undercomplementation. (PSPACE denotes the class of machines usingthe polynomial size of space.)
4. A generic proof system in PSPACE, possibly has communicationrounds polynomially related to the input length.
5. A language having a constant-round interactive proof system alsohas a public-coin interactive proof system with only two messages.Any 2r-round proof system can be transformed into an r-round proofsystem, for any function r : N → N .
4.3 Construction Tools: Commitment Schemes
4.3.1 Computationally Hiding and Perfectly Binding Com-mitments
• Perfectly Binding Commitment Schemes. Loosely speaking, a com-mitment scheme satisfies the following two conditions:
1. Secrecy (or hiding). At the end of first phase, the other party,called the receiver, does not gain any knowledge of the sender’svalue. This requirement has to be satisfied even if the receiver triesto cheat.
2. Unambiguity (or binding). Given the transcript of the interactionin the first phase, there exists at most one value that the receivercan later (i.e. in the second phase) accept as a legal opening of thecommitment. This requirement has to be satisfied even if the sendertries to cheat.
• Formal definition.A perfectly binding bit-commitment scheme is apair of probabilistic polynomial-time interactive machines, denoted (S,R)(for sender and receive), satisfying the following:
38
– Input. The common input is an integer n presented in unary (servingas the security parameter). The private input to the sender is a bit,denoted v.
– Hiding. The receiver (even when deviating arbitrarily from the proto-col) cannot effectively distinguish a commitment (phase 1 messages)to 0 from a commitment to 1 (at the end of phase 1). Namely, forevery probabilistic polynomial machine R∗ interacting with S, theprobability ensembles describing the output of R∗ in the two cases,namely {〈S(0), R∗〉(1n)}n∈N and {〈S(1), R∗〉(1n)}n∈N , are compu-tationally indistinguishable.
– Binding. Preliminaries to the requirement:
1. A receiver’s view of an interaction with the sender, denoted(r,m), consists of the random coins used by the receiver (r) andthe sequence of messages received from the sender m.
2. Let σ ∈ {0, 1}. We say that a receiver’s view (of such inter-action), (r,m) is a possible σ-commitment if there exists astring s such that m describes the messages received by R whenR uses local coins r and interacts with machine S that uses lo-cal coins s and has input (σ, 1n). (i.e. (r,m) is a possible σ-commitment if (r,m) = view
S(σ,1n,s)R(1n,r) .)
3. We say that the receiver’s view (r,m) is ambiguous if it is botha possible 0-commitment and a possible 1-commitment.
The unambiguity requirement asserts that for all but a neg-ligible fraction of the coin tosses of the receiver there exists nosequence of messages from the sender that together with these cointosses forms an ambiguous receiver view. Namely, for all but a neg-ligible fraction of the r ∈ {0, 1}poly(n) there is no m such that (r,m)is ambiguous.
• Construction based on any one-way permutation. Let f : {0, 1}∗ →{0, 1}∗ be a 1− 1 one-way function, and let b : {0, 1}∗ → {0, 1} be a hard-core predicate of f .
1. Commitment phase: To commit to value v ∈ {0, 1} (using securityparameter n), the sender uniformly selects s ∈ {0, 1}n and sends thepair (f(s), b(s)⊕ v) to the receiver.
2. Reveal phase: In the reveal phase, the sender reveals the bit v andthe string s used in the commit phase. The receiver accepts the valuev if f(s) = α and b(s)⊕ v = σ, where (α, σ) is the receiver’s view ofthe commit phase.
• Construction based on any one-way function. Let G : {0, 1}∗ →{0, 1}∗ be a pseudorandom generator such that |G(s)| = 3|s| for all s ∈{0, 1}∗.
39
1. Commitment phase:
– To receive a commitment to a bit (using security parameter n),the receiver uniformly selects r ∈ {0, 1}3n and sends it to thesender.
– Upon receiving the message r, the sender commits to vluae v ∈{0, 1} by uniformly selecting s ∈ {0, 1}n and sending G(s) ifv = 0 and G(s)⊕ r otherwise.
2. Reveal phase: In the reveal phase, the sender reveals the strings used in the commit phase. The receiver accepts the value 0 ifG(s) = α and accepts the value 1 if G(s)⊕ r = α, where (r, α) is thereceiver’s view of the commit phase.
• Remarks. There are at most(2n
2
)< 22n possible pairs of seeds such
that r = G(s1)⊕G(s2) which enable the sender to open the commitmentin both ways (such that r is called bad). Because r ∈ {0, 1}3n, the goodstrings are the other 23n−22n ones. Hence if the receiver uniformly choosesr ∈ {0, 1}3n, r is good with possibility at least 1− 22n−3n.
• Extension to bit strings. By committing each bit of the intended stringto commit the string.
4.3.2 Perfectly Hiding and Computationally Binding Com-mitments
• Perfectly Hiding Commitment Schemes. Loosely speaking, a com-mitment scheme satisfies the following two conditions:
1. Perfect Secrecy (or hiding). At the end of commit phase, theother party, called the receiver, does not gain any information ofthe sender’s value.
2. Unambiguity (or binding). Given the transcript of the interactionin the first phase, it is infeasible for the sender to perform the revealphase in two different ways, leading the receiver to accept (as legal“opening”) two different values.
• Formal definition.A perfect hiding bit-commitment scheme is a pairof probabilistic polynomial-time interactive machines, denoted (S, R) (forsender and receive), satisfying the following:
– Input. The common input is an integer n presented in unary (servingas the security parameter). The private input to the sender is a bit,denoted v.
– Perfectly hiding. For every probabilistic (not necessarily polynomial-time) machine R∗ interacting with S, the random variables describingthe output R∗ in the two cases, namely 〈S(0), R∗〉(1n) and 〈S(1), R∗〉(1n),are identically distributed.
40
– Binding. Preliminaries to the requirement: For v ∈ {0, 1} and n ∈ N ,fix any probabilistic polynomial-time algorithm F ∗ and any polyno-mial p(·).1. A receiver’s view of an interaction with the sender, denoted
(r,m), consists of the random coins used by the receiver (r) andthe sequence of messages received from the sender m. A sender’sview of the same interaction, denoted (s, m̃), consists of the ran-dom coins (s) used by the sender and sequence of messages re-ceived from the receiver (m̃). A joint view of the interaction is apair consisting of corresponding receiver and sender views of thesame interaction.
2. Let σ ∈ {0, 1}. We say that a joint view (of such interaction),(r,m)(s, m̃) is a feasible σ-opening with respect to F ∗ and p(·)if on input (m, (s, m̃), σ), F ∗ outputs, with probability at least1/p(n), a string s′ such that m describes the messages receivedby R when R uses local coins r and interacts with machine Sthat uses local coins s′ and has input (σ, 1n)
3. We say that a joint view is ambiguous with respect to F ∗ andp(n) if it is both a feasible 0-opening and a feasible 1-opening.
The unambiguity requirement asserts that for all but a negli-gible fraction of the coin tosses of the receiver it is infeasible forthe sender to interact with the receiver, so that the resulting jointview is ambiguous with respect to some probabilistic polynomial-time algorithm F ∗. Namely, for every probabilistic polynomial-timeinteractive machine S∗, probabilistic polynomial-time algorithm F ∗,polynomial p(·) and q(·), and all sufficiently large n’s, the probabilitythat the joint view of the interaction between R and S∗, on commoninput 1n, is ambiguous, with respect to F ∗ and p(·), is smaller than1/q(n).
• Remarks. The non-uniform computational unambiguity which means theunambiguity condition holds for non-uniform families of polynomial-sizecircuits, is required in some cases.
• Construction based on claw-free collections. Assume the existenceof claw-free collections with efficiently recognizable index set (forexample, fσ
Z,G,P (x) = Zσ ·Gx mod P where the factorization of the P −1is publicly known. Hence the index set is efficiently recognizable, namely,whether or not G is the generation of group is efficiently recognizable). Aconstant-round perfectly hiding bit commitment: Let (I, D, F ) bea triplet of probabilistic polynomial-time algorithms, where I is the indexgenerating algorithm of a claw-free collection {(f0
i , f1i ) : i ∈ I} and S and
F is the corresponding sampling and evaluating algorithm.
1. Commit phase: To receive a commitment to a bit (using securityparameter n), the receiver randomly generate i = I(1n) and sends it
41
to the sender. To commit a value v ∈ {0, 1}, the sender checks to seeif the received message i from the receiver is in the range of I(1n)(this requires the index of the claw-free collection to be effectivelyrecognizable), and if so the sender randomly generates s = D(v, i),computes c = F (v, i, s), and sends c to the receiver. Otherwise, thesender aborts the protocol.
2. Almost canonical reveal phase: In the reveal phase, it suffices forthe sender to reveal the string s generated in the commit phase. (incanonical reveal phase, the sender should reveal the random cointosses rs and v. Here, the random tosses rs are used in D). The re-ceiver accepts the value v if F (v, i, s) = c where (i, c) is the receiver’spartial view of the commit phase.
• Remarks. (1) The rationale behind the requirement of efficiently rec-ognizing the indices is to guarantee that the permutation pair (f0
i , f1i )
have identical range distributions. Hence if there is no efficient methodto recognize the index set, the receiver can prove in zero-knowledge tothe sender that the permutation pair satisfies the requirement of identicalrange distribution. (2) Another possible way is to require that after thecommitment, in some place of a large protocol, the receiver should revealthe random string ri used in I to generate the index i. Hence the sendercan check that the permutation pair using the index has identical rangedistribution. This introduces the following notion.
• Commitment schemes with a posteriori secrecy. A bit-commitmentscheme with perfect a posteriori secrecy is defined as in perfectly hidingcommitment except that the secrecy requirement is replaced by the fol-lowing a posteriori secrecy requirement: For every string r ∈ {0, 1}poly(n),it holds that 〈S(0), Rr〉(1n) and 〈S(1), Rr〉(1n) are statically close, whereRr denotes the execution of the interactive machine R when using internalcoin tosses r.
• Construction of perfectly hiding commitment based on any one-way permutation. Let f be a one-way permutation, and let b(x, y)denote the inner product mod 2 of x and y.
1. Commit phase using security parameter n:(a) Local computations: The receiver randomly selects n−1 linearly
independent vectors r1, . . . , rn−1 ∈ {0, 1}n, and the sender uni-formly chooses s ∈ {0, 1}n and computes y = f(s).
(b) Iterative hashing: The parties proceed in n − 1 rounds. Inthe i round, the receiver sends ri to the sender, which replies bycomputing and sending ci = b(y, ri).
(c) Committing: After the n− 1 rounds iterative hashing, both par-ties can compute exactly two solutions to the system of equations{b(y, ri) = ci : 1 ≤ i ≤ n − 1}. Note that y is one of the twosolutions.
42
– The sender sets π = 1 if y is the lexicographically first solu-tion of the two, otherwise π = 0.
– To commit to a value v ∈ {0, 1}, the sender sends cn = π⊕ vto the receiver.
2. Canonical reveal phase: The sender reveals v along with the string sselected in the commitment phase. The receiver accepts the value v ifthe following two conditions hold, where ((r1, . . . , rn−1), (c1, . . . , cn))denotes the receiver’s view in the commitment phase:
– b(f(s), ri) = ci for all 1 ≤ i ≤ n− 1– If there exists y′ < f(s) (resp. y′ > f(s)) such that b(y′, ri) = ci
for all 1 ≤ i ≤ n − 1, then v = cn (resp. vn = cn ⊕ 1) must behold.
• Remarks. The interactivity property of the hashing phase is crucial tothe secrecy of the scheme. If the receiver sends all the random vectors tothe sender in one round, the sender can cheat the receiver.
4.3.3 Non-Oblivious Perfectly Binding and Computation-ally Hiding Commitments
In a commitment, it is possible that the sender does not know the value itcommits to. In some cases, we need to use a commitment which guaranteesthat the sender knows the value committed. This extra property is called non-obliviousness which uses a proof of knowledge protocol. (Before read this part,you need to know the notion of proof of knowledge.)
• Definition. Let (S,R) be a (perfectly binding computationally hid-ing commitment. We say that the commitment scheme is non-obliviousif the prescribed receiver R constitutes a knowledge verifier that is alwaysconvinced by S for the relation
{((1n, r,m), (σ, s)) : m = viewS(σ,1n,s)R(1n,r) }
where viewS(σ,1n,s)R(1n,r) denotes the messages received by the interactive ma-
chine R, on input 1n and local coins r, when interacting with machine Swhich has input (σ, 1n) and uses coins s.
• Remarks. By using the proof of knowledge, the receiver is convinced thatthe sender knows the committed value. And in the proof of knowledge, theverifier (which is the receiver in the commitment scheme) should only havepolynomial-time complexity, otherwise it possibly can extract the knowl-edge from the prover (which is the sender in the commitment scheme).Hence it is reasonable to require the commitment to be computationallyhiding, instead of perfect hiding.
43
• Existence. If one-way functions exist, then there exists non-obliviouscommitment schemes with a constant-number of communication rounds.Furthermore, the commitment scheme also preserves the secrecy propertywhen applied (polynomially) many times in parallel.
• Construction. Basically, in the commitment scheme, after the tradi-tional commit phase, a proof of knowledge protocol is executed as a sub-protocol in which the receiver acts as a verifier to make sure that thesender acting as the prover knows the committed value. Only after be-ing convinced, the receiver should accept the completion of the commitphase. Note that the proof of knowledge is NOT required to be zero-knowledge, instead, we only require that the receiver cannot differen-tiate which value the sender commits to. Hence the strong witness-indistinguishable proofs are satisfactory. (Note that here the re-ceiver (as the verifier) is required to be polynomial-time bounded.) Constant-round strong witness-indistinguishable proofs are constructible by parallelcomposition of zero-knowledge proofs of knowledge. Note that parallelcomposition of zero-knowledge proofs of knowledge are not necessarilyzero-knowledge, but strong witness-indistinguishable proofs preserving thewitness indistinguishability under parallel composition.
4.3.4 Two-Sender Commitments
In the two-partner model (see Section 4.14), the two senders commit to a value(one sender commits to the value, the other sender reveals the committed value).
• Two-sender commitment.
1. Secrecy. At the end of the commit phase, the solitary, called thereceiver, does not gain any information about the sender’s value (in-formation secrecy, namely perfectly hiding).
2. Unambiguity. Suppose that the commit phase is successfully com-pleted. Then if later, the partners, called the senders, can performthe reveal phase such that the receiver accepts the value 0 with prob-ability p, then they cannot perform the reveal phase such that thereceiver accepts the value 1 with probability substantially greaterthan 1− p. For every p the senders can always conduct the commitphase such that they can later reveal the value 0 with probability pand the value with probability 1− p.
• Formal definition. A two-sender bit-commitment scheme is a triplet ofprobabilistic polynomial-time interactive machines, denoted (S1, S2, R),for the two-partner model satisfying the following:
– Input. The common input is an integer n presented in unary (calledthe security parameter). The private input to the senders is a bit,denoted v ∈ {0, 1}.
44
– Secrecy. The 0-commitment and the 1-comment are identically dis-tributed. Namely, for every probabilistic (not necessarily polynomial-time) machine R∗ interacting with the first sender (S1), the randomvariables {〈S1(0), R∗〉(1n)}n∈N and {〈S1(1), R∗〉(1n)}n∈N are iden-tically distributed.
– Unambiguity. Preliminaries to the requirement:
1. A receiver’s view of an interaction with the first sender, denoted(r,m), consists of the random coins r used by the receiver andthe sequence of messages received from the first sender m.
2. Let σ ∈ {0, 1}. We say that the string s is a possible σ-openingof the receiver’s view (r,m) if m describes the messages receivedby R when R uses local coins r and interacts with machine S1
that uses local coins s and has input (σ, 1n).3. Let S∗1 be an arbitrary program for the first sender. Let p be
a real and σ ∈ {0, 1}. We say that p is an upper bound onthe probability of a σ-opening of the receiver’s view of the in-teraction with S∗1 if for very random variable X representing thestring sent by the second sender in the reveal phase, which isstatistically independent of the receiver’s coin tosses, the proba-bility that X is a possible σ-opening of the receiver’s view of aninteraction with S∗1 is at most p That is Pr[X is a σ-opening of〈S∗1 , R〉(1n)] ≤ p.
4. Let pσ be an upper bound on the probability of a σ-openingof the receiver’s view of the interaction with S∗1 . We say thatthe receiver’s view of the interaction with S∗1 is unambiguous ifp0 + p1 ≤ 1 + 2−n.
The unambiguity requirement asserts that for every program of thefirst sender S∗1 the receiver’s interaction with S∗1 is unambiguous.
– Strong unambiguity condition. For every deterministic strategyS∗1 and every pair of strings (s0, s1),
Pr[∀σ ∈ {0, 1}, sσ is a σ-opening of 〈S∗1 , R〉(1n)] ≤ 2−n
• Remarks. One crucial constraint on the second sender in the abovedefinition is that the second sender does not know the coin tosses sent bythe receiver to the first sender. This is the reason that the random variableX in the definition must be statistically independent of the receiver’s cointosses.
• Construction.
– Preliminaries: Let π0 and π1 denote two fixed permutations over{0, 1, 2} such that π0 is the identity permutation and π1 is a per-mutation consisting of a single transposition, say (1, 2). Namelyπ1(1) = 2, π1(2) = 1 and π1(0) = 0.
45
– Common input: The security parameter n.
– Sender’s input: σ ∈ {0, 1}– Commit phase:
1. The receiver uniformly selects r = r1 · · · rn ∈ {0, 1}n and sendsr to the first sender.
2. For each i, the first sender computes ci = πri(si) + σ mod 3 and
sends c1 · · · cn to the receiver where s = s1 · · · sn ∈ {0, 1, 2}n isuniformly chosen by the senders.
– Reveal phase: The second sender sends to the receiver the initialprivate input σ and the random coins s used in the commit phase.The receiver checks the revelation.
4.3.5 Commitments with Poly-Logarithm Efficiency
Assume the existence of collision-free hash functions, we can construct an au-thentication tree which has applications in many protocols. To commit a nbit string, the sender partitions the string into m = n
k (k is a system securityparameter determined later. It is required that the collision-free hash functionH maps strings of length 2k into strings of length k) consecutive blocks. Thesender constructs a binary tree of depth log2m, placing the m blocks in thecorresponding leaves of the tree. In each internal node, the sender places thehashing value obtained by applying the function H to the content of the childrenof this node. The only message sent in the commit phase is the content of theroot. In this way, using the collision-free property, the sender commits an n-bitstring. To reveal the value of a specific bit in the string, the sender reveals tothe receiver the contents of both children of each node along the path from theroot to the corresponding leaf. Hence to reveal a bit, the communication costis 2log2m · k. To open logn bits, the communication cost is 2logn·log2m · k.
4.3.6 Commitments with Trapdoor
• Definition. A trapdoor commitment scheme is a pair of probabilisticpolynomial-time interactive machines, denoted by (S,R), satisfying thefollowing:
– Hiding. The receiver R has negligible probability of predicating acommitment.
– Unambiguity. The sender S has negligible probability of constructinga commitment which it can later reveal in two possible ways: bothas 0 and as 1.
– Trapdoor: The receiver R through some trapdoor information, canefficiently generate strings that are computationally indistinguishablefrom the sender’s message and yet later open these strings so as toreveal any value (0 or 1).
46
• Construction. Use the zero knowledge proofs of knowledge providedthat the prover (working as the sender) does not know the knowledge itclaims to have.
– Preliminary phase. The receiver uniformly selects r ∈ {0, 1}n, com-putes f(r) and reduces f(r) (f is a one-way function) to an instance(a graph G with n vertices) of the Hamiltonian-cycle (HC) problemusing the standard reduction (the reduction is efficiently revertible).Hence it is hard to compute the Hamiltonian-cycle from graph G.The receiver sends graph G to the sender. The receiver also computesthe Hamiltonian-cycle of graph G by using the information r (r is thewitness of f(r) from the NP -relation R = {(f(w), w) : w ∈ {0, 1}∗}).
– Commit phase. The sender commits to 0 by choosing a randompermutation π, permutating the nodes of G, and committing to theentries of the resulting adjacency matrix. On the other hand, thesender can commit to 1 by choosing the n-node complete graph andcommitting to its adjacency matrix (which is all 1). Note that inthis step the sender uses another commitment scheme which has notrapdoor.
– Revealing phase. The sender reveals commitment 0 by sending π tothe receiver along with the revealing of all commitments of entriesin the matrix. The sender reveals commitment 1 by revealing to thereceiver a random simple n-cycle in the matrix.
• Definitions. (1) Hamiltonian-cycle: is a graph cycle (i.e., closed loop)through a graph that visits each node exactly once. (2) A clique of agraph is its maximal complete subgraph. Here, a clique is defined as anycomplete subgraph. The problem of finding the size of a (maximum) cliquefor a given graph is an NP-complete problem. (3) A complete graph is agraph in which each pair of graph vertices is connected by an graph edge.(4) A simple cycle is one that visits no edge or vertex twice.
• Remarks. (1) We can augment the scheme by forcing the receiver toprove its knowledge of the trapdoor. In the preliminary phase, the re-ceiver (as the prover) executes a proof of knowledge with the sender (asthe verifier) on common input f(r) to convince the sender that the re-ceiver knows r and so knows a Hamiltonian-cycle. (2) Because the re-ceiver has the trapdoor, hence it can generate a commitment to 0 andlater reveal the commitment both as 0 and as 1. It can reveal the com-mitment to 0 as a commitment to 1, because it knows and permutationand the Hamiltonian-cycle and so can reveal the commitments to entries(π(i), π(j)), with (i, j) ∈ C.
4.3.7 Commitments with Extraction
• Definition [3]. A perfect binding commitment scheme C (with senderS and receiver B) is a commit-with-extract commitment if the following
47
holds: there exists a probabilistic polynomial-time commitment extractCK such that for every probabilistic polynomial-time commitment partyS∗ and for every x, y, r ∈ {0, 1}∗, upon input (desc(S∗), 1t, x, y, r), wheret is a bound of running time of S∗(x, y, r), machine CK outputs a pair, de-noted (CK1, CK2) = (CK1(desc(S∗), 1t, x, y, r)), (CK2(desc(S∗), 1t, x, y, r)),satisfying the following conditions:
– Ensembles {CK1 = CK1(desc(S∗), 1t, x, y, r)}x,y,r∈{0,1}∗ and{viewS∗(S∗(x, y, r), R)}x,y,r∈{0,1}∗ are computationally indistinguish-able.
– Pr[CK2(desc(S∗), 1t, x, y, r)=commit-value(CK1)]> 1− µ(|x|)• Remarks. A commitment with extraction is not necessarily a non-oblivious
commitment. In fact that the commitment extractor is able to output thecommitted value, does not imply that the sender is able to output it (i.e.not necessarily existing a knowledge extractor). Recall that existing non-oblivious commitments using a proof of knowledge have to be either non-constant round or with extractor running in expected polynomial time.The following is a constant-round commit-with-extract commitment.
• Construction.
– Commit Phase.
1. S choose a trapdoor permutation.(a) The sender S chooses a trapdoor permutation f along with
the trapdoor t by uniformly choosing sI ∈ {0, 1}n and ap-plying the sampling algorithm I on sI , and send f to thereceiver R.
(b) S proves to R that f is indeed a permutation, using a constant-round zero-knowledge argument with a strict polynomial-time simulator. (In fact, if f ’s index is efficiently recogniz-able, this step can be eliminated.). Formally, S proves thatthere exists a string sI such that f is the permutation outputfrom I(sI).
2. S and R run a coin toss protocol.(a) R chooses a random string r1 ∈ {0, 1}n and sends c=Commit(r1; s)
using any perfectly binding commitment scheme with a ran-dom string s.
(b) S randomly chooses r2 ∈ {0, 1}n and sends r2 to R.(c) R sends r1 to S without decommitting.(d) R proves to S that r1 sent in Step 2c is indeed the valued com-
mitted in Step 2a, using a constant-round zero-knowledge ar-gument with strict polynomial-time simulator. Formally, Rproves that there exists a random string s such that c =Commit(r1; s).
(e) The output of the coin-tossing phase is r1 ⊕ r2.
48
3. S sends the actual commitment: S computes r = f−1(r1 ⊕ r2)and sends R the value v = b(r) ⊕ σ where b(r) is the hard-corepredicate of f .
– Reveal Phase.
1. S sends R the string r.2. R checks f(r) = r1 ⊕ r2 and if this the case, R computes σ =
b(r)⊕ v.
• Remarks. The above commitment is commitment with public decom-mitment. That is in the decommitment phase, the receiver does not needto access its random tape from the commit phase. Namely, the transcriptfrom the commitment phase and the sender’s decommitment message areenough to efficiently obtain the commitment value.
4.4 Zero-Knowledge Proofs
A interactive proof system (P, V ) for a language L is zero-knowledge if whatevercan be efficiently computed after interacting with P on input x ∈ L can also beefficiently computed from x without interacting with P (no “real gain”). Thecondition should hold with respect to any efficient way of interacting with P ,not necessarily the prescribed program V . In fact, zero-knowledge is a propertyof the prover P . It captures P ’s robustness against attempts to gain knowledgeby interacting with it.
4.4.1 Simulation Paradigm
To capture the “real gain”, we use the simulation paradigm. Loosely speaking,the simulation paradigm postulates that whatever a party can do by itself can-not be considered a gain from interaction with the outside. Here “doing” means“efficiently doing”. Hence, on input x ∈ L, if an algorithm M∗ working aloneoutputs the same as V ∗ which interacts with P . Then we can assert that V ∗
doesn’t obtain “real gain” through the interaction. Let’s interpret the paradigmin another way, i.e. for any (polynomial-time) interactive machine V ∗, there ex-ists a polynomial-time interactive machine M∗ which outputs the same as V ∗ oninput x. The preceding interpretation should be put in the probabilistic contextand we don’t require that each execution of the M∗ and V ∗ outputs the sameresult, instead, we require that the distributions of two outputs are identical. Itis very important to notice that the simulation simulates the interac-tion instead of simulating the prover to the verifier. (Can we interpretthe simulation paradigm in this way, i.e. for any (polynomial-time) interactivemachine V ∗, there exists a polynomial-time interactive machine M∗ such thatV ∗ cannot differentiate the real prover from M∗? It seems that this interpre-tation is too strict and only reflects the inability of verifiers (or more precisely,the language’s property), instead of the robustness of the prover. This seemsto happen only when the language belongs to BPP (if P 6= NP )). Moreover,
49
failure to provide a simulation of an interaction with the outside does not neces-sarily mean that this interaction results in some “real gain”. One possibility isthat the known simulation strategies are not power enough to enable us to finda simulation. The well-known strategy is the black-box method. However, thisstrategy has some limits and the non-black-box method recently has been usedto solve some problems (originally regarded as unachievable using the black-boxmethod). Note that the non-black-box method doesn’t equal to the white-boxmethod. However, in the non-black-box method, the verifier V ∗ is used in asignificant way, instead of being used merely as an oracle. In the simulationparadigm, any “real gain” cannot occur whenever we are able to present a sim-ulation. In [11], the simulation is interpreted in a more nature way, i.e. theadversary “gains nothing” if whatever it can obtain by unrestricted adversarialbehavior can be obtained with essentially the same computational effortby a benign behavior (following the prescribed protocol).
Obviously, there exists a knowledge gap or a computational power gap be-tween the simulator and the prover. So why can a simulator simulates theinteraction? The simulator has three extra advantages in the simulation overthe prover in the real interaction. (1) The simulator has the description of theverifier. (2) The simulator has the access of the coin tosses used by the verifier.(3) The simulator can invoke the verifier strategy polynomial times. If the sim-ulator fails in one invocation, it can just try again until it succeeds. However,in the real interaction, if the prover fails to convince the verifier, the verifierwould abort the protocol. The prover also has no access to the coin tosses atthe beginning of the protocol. Note that in the public coin protocols, the proverdoes obtain the verifier’s coin tosses in some stage of the protocol. The proverdoes not know the strategy of the verifier if the verifier behaves away from theprescribed protocol. The black-box simulator only makes use of the latter twoadvantages. Instead, the non-black-box simulator in [1] uses the first advantage(i.e. the description of the verifier) significantly too.
4.4.2 Define Zero-Knowledge Proof Systems
• Strictly Perfect Zero-Knowledge. Let (P, V ) be an interactive proofsystem for some language L. We say that (P, V ) or actually P , is strictlyperfect zero-knowledge if for every probabilistic polynomial-timeinteractive machine V ∗, there exists an (ordinary) probabilistic polynomial-time algorithm M∗ such that for every x ∈ L the following two randomvariables are identically distributed (which is much stronger thanthe polynomial-time indistinguishable requirement):
– 〈P, V ∗〉(x) (i.e. the output of the interactive machine V ∗ after inter-acting with the interactive machine P on common input x)
– M∗(x) (i.e. the output of machine M∗ on input x)
Machine M∗ is called a simulator for the interaction of V ∗ with P .
50
• Remarks. (1) The definition only considers the situation that x ∈ Land the prover is honest. This paradigm has significant applications inthe cryptography. However a more general paradigm where the commoninput’s membership is not decided and the prover can also cheat the verifierhas significant interest. That is given any instance x ∈ NP ∩NP − CO,the prover should prove that x ∈ L or x /∈ L assuming that P 6= NP ∩NP − CO.
• Perfect Zero-Knowledge. Because the above definition is too strict,and only trivial cases (languages in BPP ) have such strictly perfect zero-knowledge proof systems, we relax the definition in the following way. Let(P, V ) be an interactive proof system for some language L. We say that(P, V ) or actually P , is perfect zero-knowledge if for every proba-bilistic polynomial-time interactive machine V ∗ there exists an prob-abilistic polynomial-time algorithm M∗ such that for every x ∈ L thefollowing two conditions hold:
1. With probability at most 12 , on input x, machine M∗ outputs a special
symbol denoted ⊥ (i.e. Pr[M∗(x) = ⊥] ≤ 12 ).
2. Let m∗(x) be a random variable describing the distribution of M∗(x)conditioned on M∗(x) 6= ⊥ (i.e. Pr[m∗(x) = α] = Pr[M∗(x) =α|M∗(x) 6= ⊥] for every α ∈ {0, 1}∗). Then the following two randomvariables are identically distributed:
– 〈P, V ∗〉(x) (i.e. the output of the interactive machine V ∗ afterinteracting with the interactive machine P on common input x)
– m∗(x) (i.e. the output of machine M∗ on input x)
Machine M∗ is called a perfect simulator for the interaction of V ∗ withP .
• Strength the perfect zero-knowledge proof definition. We canstrength the perfect zero-knowledge definition by requiring that M∗ out-puts the special symbol only with negligible probability. For example:Let (P, V ) be an interactive proof system for some language L. Wesay that (P, V ) is perfect zero-knowledge if for every probabilis-tic polynomial-time interactive machine V ∗ and every polynomialp(·), there exists an probabilistic polynomial-time algorithm M ′ suchthat for every x ∈ L the following two conditions hold:
1. With probability less than 2−p(|x|), on input x, machine M ′ outputsa special symbol denoted ⊥ (i.e. Pr[M ′(x) = ⊥] < 2−p(|x|)).
2. Let m′(x) be a random variable describing the distribution of M ′(x)conditioned on M ′(x) 6= ⊥ (i.e. Pr[m′(x) = α] = Pr[M ′(x) =α|M ′(x) 6= ⊥] for every α ∈ {0, 1}∗). Then the following two randomvariables are identically distributed:
– 〈P, V ∗〉(x) (i.e. the output of the interactive machine V ∗ afterinteracting with the interactive machine P on common input x)
51
– m′(x) (i.e. the output of machine M ′ on input x)
Machine M ′ is called a perfect simulator for the interaction of V ∗ withP . M ′ can be obtained by sequentially executing M∗ until M∗’s outputis not ⊥ (outputs the result and halts) or M∗ has been executed p(|x|)+1times (outputs ⊥ and halts). Because M∗ is a polynomial-time algorithm,so is M ′. In this definition, the statistical difference of two ensemblesof {m′(x)}x∈L and {〈P, V ∗〉(x)}x∈L are negligible. The correctness ofthe construction is guaranteed by the sequential composition theorem ofzero-knowledge proof systems. This introduces the almost-perfect zero-knowledge notion. (So perfect zero-knowledge implies almost-perfect zero-knowledge.)
• Almost-Perfect (Statistical) Zero-Knowledge. Let (P, V ) be an in-teractive proof system for some language L. We say that (P, V ) is almost-perfect (or statistical) zero-knowledge if for every probabilisticpolynomial-time interactive machine V ∗ there exists an probabilisticpolynomial-time algorithm M∗ such that for every x ∈ L the followingtwo ensembles are statistically close as functions of |x|:
– {〈P, V ∗〉(x)}x∈L (i.e. the output of the interactive machine V ∗ afterinteracting with the interactive machine P on common input x)
– {M∗(x)}x∈L (i.e. the output of machine M∗ on input x)
That is, the statistical difference between 〈P, V ∗〉(x) and M∗(x) is negli-gible in terms of |x|.Note that the difference between perfect and almost-perfect zero-knowledgeis very important. In the perfect zero-knowledge, the distributions oftwo random variables are evaluated. However, in almost-perfect zero-knowledge, two ensembles of random variables are evaluated.
• Computational Zero-Knowledge. Let (P, V ) be an interactive proofsystem for some language L. We say that (P, V ) is computationalzero-knowledge (or just zero-knowledge) if for every probabilisticpolynomial-time interactive machine V ∗ there exists an probabilisticpolynomial-time algorithm M∗ such that for every x ∈ L the followingtwo ensembles are computationally indistinguishable:
– {〈P, V ∗〉(x)}x∈L (i.e. the output of the interactive machine V ∗ afterinteracting with the interactive machine P on common input x)
– {M∗(x)}x∈L (i.e. the output of machine M∗ on input x)
Machine M∗ is called a simulator for the interaction of V ∗ with P .
• An Alternative Formulation. We consider the verifier’s view (de-termined by the content of the verifier’s random tape and the contentof its read-only communication tape (the messages received)) of theinteraction with the prover, rather than only the output of the verifier
52
after such an interaction. Let (P, V ) be an interactive proof system forsome language L. We say that (P, V ) is zero-knowledge if for everyprobabilistic polynomial-time interactive machine V ∗ there exists anprobabilistic polynomial-time algorithm M∗ such that for every x ∈ Lthe following two ensembles are computationally indistinguishable:
– {viewPV ∗(x)}x∈L (i.e. the view of the interactive machine V ∗ after
interacting with the interactive machine P on common input x)
– {M∗(x)}x∈L (i.e. the output of machine M∗ on input x)
Note that M∗(x) in the definition is no longer 0 or 1, instead the simulatedview of V ∗(x) ∈ {0, 1}∗. This definition is equivalent to the precedingdefinition.
• Honest-Verifier Zero-Knowledge. Let (P, V ) be an interactive proofsystem for some language L. We say that (P, V ) is honest-verifier zero-knowledge if there exists an probabilistic polynomial-time algorithmM such that for every x ∈ L the following two ensembles are computa-tionally indistinguishable:
– {viewPV (x)}x∈L (i.e. the view of the interactive machine V after
interacting with the interactive machine P on common input x)
– {M}x∈L (i.e. the output of machine M∗ on input x)
Note that with respect to honest-verifier zero-knowledge, the formulationsof output simulatability and view simulatablity are not equivalent. It istrivial to simulate the honest verifier, because it always outputs 1 in theinteractive proof of perfect completeness.
• Expected Polynomial-Time Simulators. In the literature, zero-knowledgeproof formulation allows a more powerful simulator (a simulator runningin expected polynomial time rather than in strictly polynomial time.We say that (P, V ) is perfect zero-knowledge in the liberal sense if forevery polynomial-time interactive machine V ∗ there exists an expectedpolynomial-time algorithm M∗ such that for every x ∈ L the randomvariables 〈P, V ∗〉(x) and M∗(x) are identically distributed. If a prover iszero-knowledge in the definition of strict polynomial-time simulator, thenit is zero-knowledge in the liberal definition of expected polynomial-timesimulator. However, the definition of expected polynomial-time is contro-versial. The simple definition of expected polynomial time is having anaverage running time that is bounded by a polynomial in the input length(i.e. E[Xn] = p(n)). But this definition is not closed under reductions.For example f(x) = 2|x| if x ∈ {0}∗ and f(x) = |x| otherwise. We haveE[f(Un)] < n + 1, but E[f(Un)2] > 2n. Another definition of expectedpolynomial time is having a running time that is bounded by a polyno-mial in function that has an average linear growth rate. Put in anotherwords, we say f is polynomial on the overage if there exist a polynomial
53
p and a linear-on-the-average function l such that f(x) ≤ p(l(x)) for allsufficiently long x’s (i.e. Xn has expected polynomial-time if Xn = p(Yn)and E[Yn] = O(n).) Note that E[f(Un)] = Θ(n). Hence f(Un) doesn’tsatisfy the second definition.
• Complexity Classes Based on Zero-Knowledge. The relationshipamong the classes of languages: BPP ⊆ PZK ⊆ SZK ⊆ CZK ⊆ IP =PSPACE. The following relationship is commonly believed to be true ifnon-uniformly one-way functions exist. BPP ⊂ PZK ⊆ SZK ⊂ CZK ⊆IP = PSPACE. And the relationship of PZK and SZK remains anopen problem.
• An Example: Graph Isomorphism in PZK.
– Perfect zero-knowledge proof system.
1. Common input: A pair of graphs G1 = (V1, E1) and G2 =(V2, E2).
2. Prover’s first step (P 1): The prover selects a random isomor-phic copy of G2 and sends it to the verifier. Namely, the proverchooses at random, with uniform probability distribution, a per-mutation π from the set of permutations over the vertex set V2.The prover constructs an isomorphic copy of G2: (V2, F ) whereF = {(π(u), π(v)) : (u, v) ∈ E2} and sends the copy to the prover
3. Verifier’s first step (V 1): Upon receiving a graph G′ = (V ′, E′)from the prover, the verifier uniformly choose σ ∈ {1, 2} andsends σ to ask the prover to show an isomorphic copy of Gσ.
4. Prover’s second step (P 2): Upon receiving σ, if σ = 2, the proversends the permutation π to the verifier, otherwise the proversends the permutation π ◦φ where φ is the isomorphism betweenG1 and G2: namely, φ is a 1-1 and onto mapping of the vertexset V1 to the vertex set V2 such that (u, v) ∈ E1 if and onlyif (φ(u), φ(v)) ∈ E2. (How the prover gets this isomorphism isout of the proof system. If the prover is not restricted to be apolynomial-time algorithm, it can compute it. Otherwise, it hasto get this isomorphism from an auxiliary-input tape, which isnot shared with the verifier.)
5. Verifier’s second step (V 2): If the received message, denoted ψ,is an isomorphism between Gσ and G′, then the verifier outputs1; otherwise it outputs 0.
– Black-box simulator M∗. On input x = (G1, G2), simulator M∗
proceeds as follows:
1. Setting the random tape of V ∗: Let q(·) denote a polynomialbounding the running time of V ∗. The simulator M∗ starts byuniformly selecting a string r ∈ {0, 1}q(|x|) to be used as thecontent of the random tape of V ∗.
54
2. Simulating the prover’s first step (P 1): M∗ selects at random,with uniform probability distribution, a bit τ ∈ {1, 2} and apermutation ψ from the set of permutation over the vertex set Vτ .It then constructs an isomorphic copy G′′ of Gτ : G′′ = (Vτ , F )where F = {(π(u), π(v)) : (u, v) ∈ Eτ}.
3. Simulating the verifier’s first step (V 1): M∗ initiates an execu-tion of V ∗ by placing x on V ∗’s common-input tape, placing ron V ∗’s random tape, and placing G′′ on V ∗’s incoming-messagetape. After executing a polynomial number of steps of V ∗, thesimulator can read the outgoing message of V ∗, denoted σ. (nor-malizing σ by σ = 1 if σ 6= 2.)
4. Simulating the prover’s second step (P 2): If σ = τ , then simula-tor halts with output (x, r,G′′, ψ).
5. Failure of the simulation: Otherwise (i.e. σ 6= τ), the simulatorhalts with output ⊥.
– Remarks on the simulation. (1) The view of V ∗ is (common inputx, content of random tape r, received messages (G′′, ψ)). (2) Thesimulator fails with probability at most 1/2. (3) In the simulation,M∗ supplies the content to the random tape of V ∗. It does thisoperation, because it needs to output the view of V ∗. In the realinteractive proof system, V can send its coin tosses to the prover(public coin system). If that is the case, the simulator doesn’t needto do step 1. Note that the we can transform any interactive proofsystem into a public-coin interactive proof system while preservingperfect completeness.
• Zero-Knowledge with Respect to Auxiliary Inputs. Let (P, V ) bean interactive proof system with auxiliary input for a language L. Denoteby PL(x) the set of strings y satisfying the completeness condition withrespect to x ∈ L (i.e. Pr[〈P (y), V (z)〉(x) = 1] ≥ 2
3 for every z ∈ {0, 1}∗).We say that (P, V ) is zero-knowledge with respect to auxiliary in-put (or is auxiliary-input zero-knowledge) if for every probabilisticpolynomial-time interactive machine V ∗ there exists a probabilistic algo-rithm M∗ running in time polynomial in the length of its first input,such that the following two ensembles are computationally indistinguish-able (when the distinguishing gap is considered as a function of |x|):
– {〈P (y), V ∗(z)〉(x)}x∈L,z∈{0,1}∗ for arbitrary y ∈ PL(x).
– {M∗(x)}x∈L
Namely, for every probabilistic algorithm D with running time polynomialin the length of the first input, for every polynomial p(·), and for allsufficiently long x ∈ L, all y ∈ PL(x), and z ∈ {0, 1}∗, it holds that
|Pr[D(x, z, 〈P (y), V ∗(z)〉(x)) = 1]− Pr[D(x, z,M∗(x)) = 1]| < 1p(|x|)
55
• Remarks. (1) The definition has non-uniform polynomial favor. Possiblyonly the distinguisher can make use of the suffix of the auxiliary input (thepart after that the simulator can read), because the distinguisher may bedetermined after the polynomial bound of the simulator is fixed. Namely,assume that the polynomial bound of the simulator is T (·), while thepolynomial bound of the distinguisher is Q(·) and Q(n) > T (n) for allsufficiently large n’s. (2) However the oversimplified version such that theverifier, the simulator and the distinguisher are all polynomial-size circuitis unsatisfactory. (♣)
• Sequential Composition of Zero-Knowledge Proofs. Let P be aninteractive machine that is zero-knowledge with respect to auxiliary inputon some language L. Suppose that the last message sent by P , on inputx, bears a special end-of-proof symbol. Let Q(·) be a polynomial, and letPQ be an interactive machine that, on input x, proceeds in Q(|x|) phases,each of them consisting of running P on common input x. (We stress thatin case P is probabilistic, the interactive machine PQ uses independentcoin tosses for each of the Q(|x|) phases.) Then PQ is zero-knowledge(with respect to auxiliary input) on L. Furthermore, if P is perfect zero-knowledge (with respect to auxiliary input), then so is PQ.
4.5 Zero-Knowledge Proofs for NP
• Zero-Knowledge of Graph Coloring.
– Construction.
1. Common input. A simple (3-colorable) graph G = (V, E). Letn = |V | and V = {1, . . . , n}.
2. Auxiliary input to the prover. A 3-coloring of G, denoted ψ.3. Prover’s first step (P 1). The prover randomly selects a permu-
tation π over {1, 2, 3} and sets φ(v) = π(ψ(v)) for each v ∈ V .The prover uses a perfectly binding commitment schemeto commit itself to the color of each of the vertices. Namely, theprover uniformly and independently selects s1, . . . , sn ∈ {0, 1}n,computes ci = Csi(φ(i)) for each i ∈ V , and sends c1, . . . , cn tothe verifier.
4. Verifier’s first step (V 1). The verifier uniformly selects an edge(u, v) ∈ E and sends it to the prover.
5. Prover’s second step (P 2). Upon receiving an edge (u, v), theprover uses the reveal phase of the perfectly binding commitmentscheme in order to reveal the colors of vertices u and v to theverifier. Namely, the prover sends (su, φ(u)) and (sv, φ(v)) to theverifier.
6. Verifier’s second step (V 2). Check whether or not the decom-mitted values are different elements of {1, 2, 3} and whether or
56
not they match the commitments received in Step P 1. Namely,upon receiving (s, σ) and (s′, τ), the verifier checks whether ornot cu = Cs(σ), cv = Cs′(τ), and σ 6= τ and both σ and τ are in{1, 2, 3}.
– Black-box simulator. On input a graph G = (V,E), where n =|V |, the simulator M∗ proceeds as follows.
1. Setting the random tape of V ∗: Let q(·) denote a polynomialbounding the running time of V ∗. The simulator M∗ starts byuniformly selecting a string r ∈ {0, 1}q(|x|) to be used as thecontent of the random tape of V ∗.
2. Simulating the prover’s first step (P 1): M∗ uniformly and inde-pendently selects n values e1, . . . , en ∈ {1, 2, 3} and n randomstring s1, . . . , sn ∈ {0, 1}n to compute ci = Csi
(ei).3. Simulating the verifier’s first step (V 1): The simulator M∗ ini-
tiates an execution of V ∗ by placing G on V ∗’s common-inputtape, placing r selected in Step 1 on V ∗’s local random tape,and placing the sequence (c1, . . . , cn) on V ∗’s incoming-messagetape. After a polynomial number of steps of V ∗, the simulatorreads the outgoing message of V ∗, denoted m = (u, v).
4. Simulating the prover’s second step (P 2): If eu 6= ev, the simu-lator halts with outputs (G, r, (c1, . . . , cn), (su, eu, sv, ev)).
5. Failure of the simulation: Otherwise (i.e. eu = ev), the simulatorhalts with output ⊥.
• General Results.
– Preliminary. Each language in NP can be characterized by infinitelymany membership relations (RL’s). There exists a polynomial-time-computable function f such that x ∈ L if and only if f(x) ∈ G3C,denoted fL (the composition of the generic reduction of L to SAT ,the standard reductions (Karp-reduction) of SAT to 3SAT , and thestandard reduction of 3SAT to G3C). There exists a polynomial-time-computable function, denoted gL, such that for every (x,w) ∈RL, it holds that gL(x,w) is a 3-coloring of fL(x).
– Construction of zero-knowledge proof of any L ∈ NP .
1. Common input: A string x in a language L.2. Auxiliary input to the prover: A witness, w, for the membership
of x ∈ L (i.e. a string w such that (x,w) ∈ RL).3. Local pre-computation: Each party computes G = fL(x). The
prover computes φ = gL(x, w).4. Invoking a zero-knowledge proof of G3C: The parities invoke a
zero-knowledge proof on common input G. The prover entersthis proof with auxiliary input φ.
57
– Remark. In the proof of the zero-knowledge property of the pre-ceding construction, the auxiliary property of the 3-coloring zero-knowledge proof system plays an essential role.
– Zero-knowledge proof theorem. Suppose that there exists a per-fectly binding commitment scheme satisfying the (non-uniform) se-crecy and unambiguity requirements. Then every language in NPhas an auxiliary-input zero-knowledge proof system. The pre-scribed prover in this system can be implemented in probabilisticpolynomial time provided it gets the corresponding NP -witness asauxiliary input.
– Suppose that there exists a perfectly binding commitment schemesatisfying the (non-uniform) secrecy and unambiguity requirements.Then every language in IP has a zero-knowledge proof system.
4.6 Negative Results Related to Zero-KnowledgeProofs
From the zero-knowledge proof theorem, the following problems are naturallyraised.
1. Are the randomness and interaction in the proof system neces-sary? First, the interaction is necessary for non-trivial cases (languagesare not in BPP ). Conclusion: Suppose that L has a unidirectional (fromthe prover to the verifier) zero-knowledge proof system. Then L ∈ BPP .Second, both the randomness in the prover and in the verifier are neces-sary. Conclusion: Suppose that L has a zero-knowledge proof system inwhich the verifier program is deterministic. Then L ∈ BPP . Supposethat L has a zero-knowledge proof system in which the prover programis deterministic. Then L ∈ BPP . Hence there is no error-free zero-knowledge proof system for a language outside of BPP .
2. Is the sufficient condition (the existence of non-uniform one-wayfunctions which implies the existence of non-uniform secrecy pre-served perfectly binding commitment schemes) necessary? Theknown result is that (a) if there exist zero-knowledge proofs forlanguage outside of BPP , then there exist collections of func-tions with one-way instances. Note that, the assumption BPP ⊂ IPdoesn’t imply the existence of average one-way functions and even morethe assumption NP 6= BPP only implies the existence of a function thatis easy to compute but hard to invert in the worst case.
Collection of functions with hard instances. A collection of functions{fi : Di → {0, 1}∗}i∈I is said to have one-way instances if there exist twofunctions D and F such that the following two conditions hold:
58
(a) Easy to sample and evaluate. The output distribution of algorithmD on input i ∈ I is a random variable assigned value in Di. On inputi ∈ I and x ∈ Di, algorithm F always outputs fi(x).
(b) Some functions are hard to invert. For every probabilistic polynomial-time algorithm A′, every polynomial p(·), and infinitely many i ∈ I,
Pr[A′(i, fi(Xi)) ∈ f−1i (fi(Xi))] <
1p(|i|)
where Xi ∈ D(i).
(b) If there exist zero-knowledge proofs for languages that arehard to approximate, then there exist one-way functions.
We say that a language L is hard to approximate if there exists a prob-abilistic polynomial-time algorithm S such that for every probabilisticpolynomial-time algorithm A, every polynomial p(·), and all sufficientlylarge n’s,
Pr[A(Xn) = χL(Xn)] <12
+1
p(n)
where Xn = S(1n), and χL is the characteristic function of the languageL (i.e. χL(x) = 1 if x ∈ L and χL(x) = 0 otherwise).
3. Can we present perfect (or almost-perfect) zero-knowledge proofsystems for NP even under some reasonable assumption? Theconclusion is negative if the polynomial-time hierarchy is preserved. Ifthere exists a statistical (almost-perfect) zero-knowledge proof system fora language L, then L ∈ coAM (more precisely, L ∈ coAM ∩ AM). AMdenotes the class of languages having interactive proofs that proceed asfollows. (First, the verifier sends a random string to the prover, next theprover answers with some string, and finally the verifier decides whetheror not to accept or reject based on a deterministic computation (depend-ing on the common input and the two strings)). However, we can findthat there exist perfect zero-knowledge two-prover proof systems evenwithout hardness assumptions.
4.7 The Simulation Paradigm: Black-Box andNon-Black-Box Simulators
4.7.1 Black-Box Zero-Knowledge
• Definition.
– Next-message function: Let B be an interactive Turning machine,and let x, z and r be strings representing a common input, an aux-iliary input and a random input, respectively. Consider the func-tion Bx,z,r(·) describing the messages sent by machine B such that
59
Bx,z,r(m) denotes the message sent by B on common input x, aux-iliary input z, random input r, and sequence of incoming messagesm.
– Black-box simulator. We say that a probabilistic polynomial-timeoracle machine M is a black-box simulator for a prover P andthe language L if for every polynomial-time machine B, every proba-bilistic polynomial-time oracle machine D, every polynomial p(·), allsufficiently large x ∈ L, and every z, r ∈ {0, 1}∗,
|Pr[DBx,z,r (〈P,Br(z)〉(x)) = 1]−Pr[DBx,z,r (MBx,z,r (x)) = 1] <1
p(|x|)where Br(z) denotes the interaction of machine B with auxiliaryinput z and random input r.
– Way say that P is black-box zero-knowledge if it has a black-boxsimulator.
• Remarks. (1) The simulator M only uses the oracle access to the sim-ulated verifier B which has common input x, auxiliary input z and anyrandom input r. (2) The distinguisher also has the oracle access to theverifier B. (3) Note that the random input r of B in the interaction withP and in the oracle access are not the same coin tosses.
• The limitation of the black-box simulator. Suppose that (P, V ) isan interactive proof system with negligible error probability for thelanguage L. Further suppose that (P, V ) has the following properties:
– Constant round: There exists an integer k such that for everyx ∈ L, on input x the prover P sends at most k messages.
– Public coins: The messages sent by the verifier V are predeterminedconsecutive segments of its random tape.
– Black-box zero-knowledge: The prover P has a black-box simu-lator (over the language L).
Then L ∈ BPP .
• Remarks. The systems (zero-knowledge proof for graph isomorphism andzero-knowledge proof for 3-coloring graph) are constant-round, use publiccoins, and are black-box zero-knowledge proof. However they are not er-ror negligible. Recall the error probability is e(n) = max{1− c(n), s(n)}.For the graph isomorphism proof e(n) = s(n) $ 1
2 and for the 3-coloringproof e(n) = s(n) = 1− 1
|E| where n = |V |. If we construct a new proof byrepeating the proof polynomially many times in parallel, the new proof sys-tem is a public-coin proof with negligible error probability. However fromthe above theorem, the new proof is not black-box zero-knowledge proofwhich only means that we cannot use the black-box simulation method toprove if the proof is zero-knowledge. But is the proof zero-knowledge or
60
does there exist a constant-round, public-coin proof system with negligi-ble error probability for NP? The non-black-box simulator gives partialanswer.
4.7.2 Non-black-box Simulator
Barak [1] used the description of the verifier in a significant way to obtain someunachievable results when just accessing the verifier as an oracle.
• Tweaked FLS-type zero-knowledge protocol. The protocol consistsof two phases. In phase one, a generation protocol is executed which willgenerate an instance which does not belong to a predefined language. Onespecial property of the (tweaked) generation protocol is that no matter howthe prover proceeds, the verifier cannot be cheated to generate an instanceof the predefined language. In phase two, a witness-indistinguishable proofis executed in which the prover should prove that it knows either thewitness of which the instance generated in phase one is in the predefinedlanguage or the witness of which another instance belongs to anotherlanguage.
– Common input. 1n: security parameter. An instance x ∈ {0, 1}n
of language L. (i.e. the statement to be proved is x ∈ L.)
– Prover’s auxiliary input. w, the witness that x ∈ L.
– Phase 1. Generation protocol. Prover and verifier engage in ageneration protocol (GP). Denote the transcript of the execution byτ .
– Phase 2. WI protocol. Prover proves to verifier using a witnessindistinguishable proof (or argument) system that either x ∈ L orτ ∈ Υ where Υ is a fixed language which is a part of the proto-col’s specification. Verifier accepts if proof is completed successfully.Formally, the prover proves that 〈x, τ〉 ∈ M where the language isdefined as follows: 〈x, τ〉 ∈ M if x ∈ L or τ ∈ Υ.
• Remarks. In a real interaction, because the prover cannot cheat theverifier to generate an instance τ ′ ∈ Υ in the tweaked generation protocol,the prover has to prove that x ∈ L in phase two.
• A uniform generation protocol (GP). A generation protocol, as atwo-party protocol respect to a language Υ belonging to NTime(T (n))for some polynomial-time computable function T : N → N , satisfies thefollowing two requirements.
– Soundness. If the verifier follows its prescribed strategy then, re-gardless of the prover’s strategy, the execution transcript of the pro-tocol, denoted by τ , is an instance of language Υ without only negli-gible probability (i.e. Pr[τ ∈ Υ] < µ(n) for some negligible functionµ : N → [0, 1]).
61
– Uniform simulation. There exists a simulator that satisfies thefollowing: Let V ∗ be an arbitrary verifier strategy that runs in poly-nomial time and can be described using less than 2n bits where nis the security parameter. Then on input the description of V ∗, thesimulator runs for time polynomial in the running time of V ∗ andoutputs a pair (v, σ) such that:∗ v is computationally indistinguishable from the view of V ∗ in an
execution of the protocol with the prescribed prover. (Note thatthe view consists of the verifier’s incoming message and its localcoin tosses.)
∗ Let τ denote the transcript that is contained in the view v. Thenit holds that τ ∈ Υ and σ is a witness to this fact. Furthermore,we require that the time to verify that σ is a witness for τ ispolynomial in the running time of V ∗.
• Construction of GP.
– Define language Υ. The language Υ is defined as following Υ ={(z, r) : Π =Com−1(z), the Turing machine described by Π outputs rwithin |r|loglog|r|/5} such that Com is a perfectly biding commitmentscheme and for a string y, Com−1(y) denotes the unique x such thaty is a commitment to x or 03n if no such x exists.
– The generation protocol.∗ Input. the security parameter 1n
∗ Step 1. Prover computes z =Com(03n) and sends z to verifier.∗ Step 2. The verifier selects a string r ∈R {0, 1}n and sends it.
• Remarks. (1) It is hard for the prover to generate an instance in Υ,because even if the verifier follows the prescribed protocol, the provercannot guess r correctly with non-negligible probability (if it can, theprover can just commit to a simple program which outputs the randomr). (2) For a simulator, if it does not use description of the verifier whichcould behave drastically away from the prescribed protocol as the followingnon-black-box simulator, it is hard to construct an instance of language Υeven if the simulator knows the content of the random tape of the verifier,because it is hard to know how the verifier uses the random tape to outputthe response to the first message sent by the prover.
• The simulator of the generation protocol.
– Input. the security parameter 1n and a verifier’s algorithm V ∗, thedescription of a probabilistic polynomial-time Turing machine. Thelength of V ∗ is at most 2n.
– Setting the random tape of V ∗. Let q(n) denote the number ofrandom bits V ∗ uses. Let PRG:{0, 1}n/2 → {0, 1}q(n) be a pseudo-random generator. Choose u ∈R {0, 1}n/2 and let s = PRG(u). swill be used as the content of the random tape of V ∗.
62
– Simulating Step 1. Let Π denote the message function of V ∗ withs hardwired in as randomness. Note that Π can be described usingless than 3n bits (the description of V ∗, the description of PRG andthe seed u). Computes z =Com(Π).
– Simulating Step 2. Compute the verifier V ∗’s response with ran-domness s to the message z. That is r = Π(z).
The output of the simulator is pair ((s, z), (Π, the coins used in com-puting the commitment z=Com(Π))). (s, z) is the view of V ∗. BecauseΠ =Com−1(z) and r = Π(z), (z, r) ∈ Υ. And this can be verified in timepolynomial in the running of V ∗, because given the witness of the coinsused in the commitment, it is easy to verify that Π is the commitment toz, and running V ∗
s (z) = Π(z) gets r.
• The simulator of the FLS-type zero-knowledge protocol.
– Input. the security parameter 1n, a verifier’s algorithm V ∗, andx ∈ {0, 1}n.
– Simulate Phase 1. Let (v, σ) denote the output of the simulatorof the generation protocol (GP).
– Simulate Phase 2. Run the honest prover algorithm for the WIsystem to prove the statement x ∈ L or τ ∈ Υ using the witness σ.
• New results only obtainable using non-black box simulator. As-suming the existence of collision resistent hash function, we construct anew zero-knowledge argument system for NP that satisfies the followingproperties:
1. Constant round with negligible soundness error.
2. It remains zero knowledge even when composed concurrently n times.
3. It is a public coins (Arthur-Merlin) protocol.
4. I has a simulator that runs in strict polynomial time.
• Remarks. Impossible to obtain 1 and 2 simultaneously in black-boxparadigm. Impossible to obtain 1 and 3 simultaneously in black-boxparadigm. Impossible to obtain 1 and 4 simultaneously in black-boxparadigm. In fact, this construct is essentially similar to the rationale be-hind Richardson et al.’s concurrent zero-knowledge proof in Section 4.11.
4.8 Computationally Sound Proofs: Arguments
In the interactive proof system, there is no constraint on the prover’s computa-tion ability. If we restrict the prover’s computation ability to the probabilisticpolynomial-time complexity (it is a reasonable assumption), a new class of proofsystems can be defined. We call these systems computationally sound proof
63
systems (arguments). The advantage of this kind of proof systems is thatperfect zero-knowledge computationally sound proof systems exist and everyefficient systems can be constructed for any language in NP .
• Computationally sound proof system (arguments). A pair of in-teractive machines (P, V ) is called a computationally sound proof system(or argument) for a language L if both machines are polynomial-time withauxiliary inputs and the following two conditions hold:
– Completeness: For every x ∈ L, there exists a string y such that forevery string z, Pr[〈P (y), V (z)〉(x) = 1] ≥ 2
3 .
– Computational Soundness: For every interactive machine B, and forall sufficiently long x /∈ L and every y and z, Pr[〈B(y), V (z)〉(x) =1] ≤ 1
3 .
• Remarks. Note that the difference of soundness condition between thedefinition of interactive proof system with auxiliary input and the pre-ceding definition. The sequence of two quantifiers in two definitions aredifferent (i.e. one is ∀B, ∀ sufficiently long x, the other is ∀ sufficientlylong x and ∀B).
• Construction. Replace the perfectly binding computationally hid-ing commitment used by the prover in the 3-colorability proof with a per-fectly hiding computationally binding commitment. The resultingprotocol is a perfect zero-knowledge weak argument for Graph 3-Colorability. (A weak argument is a protocol in which the gap betweenthe completeness and the computational-soundness condition is notice-able).
• Remarks. (1) The new protocol uses computationally binding com-mitment which cannot guarantee the unambiguity when the prover hasstronger computation power than a probabilistic polynomial-time ma-chine. Hence it cannot be used in the original proof where the prover’scomputation ability is not constrained. (2) The new protocol can be usedin parallel composition to reduce the error probability exponentially. (3)The new protocol is a perfect zero-knowledge argument.
• If non-uniformly one-way permutations exist, then every language in NPhas a perfect zero-knowledge argument.
4.9 Constant-Round Zero-Knowledge Protocols
All the presented zero-knowledge proofs so far have a large error probability.We cannot use them directly in the security applications. One obvious re-quirement is that the error probability must be negligible. We can sequentiallyexecute these protocols polynomially many times to reduce the error probabil-ity. However the sequential composition of protocols is not round-efficient (i.e.
64
the resulting protocols are not constant-round. We refer to a protocol that isboth constant-round and has negligible error probability as a round-efficientprotocol). On the other hand, one possible solution is to use the parallel com-position. However from the limit of the black-box simulation, we know thatwe cannot achieve constant-round public coin zero-knowledge proofs withnegligible error probability in the black-box simulation paradigm. Simi-lar result is obtained for arguments. To overcome this negative barrier,there are two possible solutions. (1) Don’t use public coin proofs and ap-ply expected polynomial-time (not strict polynomial-time) simulator.(2) Change the black-box simulation paradigm to the non-black-boxparadigm. For the simulation paradigm, please refer to Section 4.7 and referto Section 4.11 for the details of general composition. Here we investigate thesystems applying the first solution (non-public-coin systems). The basic ideais to modify the public coin protocols to require that the verifier first commitsits coin tosses, then the prover proceeds following the original protocols, aftercoming to the step of the original protocols which requires the verifier to sendits coins to the prover, the verifier reveals its commitments. In this way, whenthe protocol is composed in parallel, the verifier cannot make use of the condi-tion that it gets all the commitments from the prover in one step to adaptivelychoose its queries and the prover cannot cheat the verifier because before itscommitment it knows nothing about the verifier’s queries committed in the firststep. Based on the difference of computation ability of provers in the proofsand arguments, different commitment schemes are used.
4.9.1 Constant-Round Zero-knowledge Proofs
The parallel proof of G3C can be constructed in the following way. The veri-fier uses a perfectly hiding and computationally binding commitmentscheme and the prover uses a perfectly binding and computationallyhiding commitment scheme.
• Construction.
1. Common input. A simple (3-colorable) graph G = (V,E). Let n =|V |, t = n|E| and V = {1, . . . , n}.
2. Auxiliary input to the prover. A 3-coloring of G, denoted ψ.
3. Prover’s preliminary step (P 0). The prover invokes the commit phaseof a perfectly hiding commitment scheme, which results in send-ing to the verifier a message m
4. Verifier’s preliminary step (V 0). The verifier uniformly and indepen-dently selects a sequence of t edges, E = ((u1, v1), . . . , (ut, vt)) ∈ Et,and sends the prover a random commitment to these edges. Namely,the verifier uniformly selects s ∈ {0, 1}poly(n) and sends Pm,s(E) tothe prover. (Note that the edges in E can be duplicated, becausethey are chosen independently.)
65
5. The first step of prover (P 1). The prover randomly selects t permu-tations π1, . . . , πt over {1, 2, 3} and sets φj(v) = πj(ψ(v)) for eachv ∈ V and 1 ≤ j ≤ t. The prover uses a perfectly binding com-mitment scheme to commit itself to the colors of each of the verticesaccording to each 3-coloring. Namely, the prover uniformly and inde-pendently selects s1,1, . . . , sn,t ∈ {0, 1}n, computes ci,j = Csi,j (φj(i))for each i ∈ V and 1 ≤ j ≤ t, and sends c1,1, . . . , cn,t to the verifier.
6. The first step of the verifier (V 1). The verifier reveals its commit-ments, yielding the sequence E = ((u1, v1), . . . , (ut, vt)). Namely, theverifier sends (s, E) to the prover.
7. The second step of the prover (P 2). The prover checks that themessage received from the verifier is indeed a valid revealing of thecommitment made by the verifier at step V 0. Otherwise the proverhalts immediately. Denote the sequence of the revealed t edges by(u1, v1), . . . , (ut, vt). The prover uses the reveal phase of the perfectlybinding commitment scheme in order to reveal to the verifier, for eachj, the jth coloring of vertices uj and vj . Namely, the prover sends tothe verifier the sequence of quadruples
(su1,1, φ1(u1), sv1,1, φ1(v1)), . . . , (sut,t, φ1(ut), svt,t, φt(vt))
8. The second step of the verifier (V 2). The verifier checks whether ornot, for each i, the values in the jth quadruple constitute a correctrevealing of the commitments cu,j and cv,j and whether or not thedecommitted values are different elements of {1, 2, 3} and whether ornot they match the commitments received in Step P 1. Namely, uponreceiving (s1, σ1, s
′1, τ1) through (st, σt, s
′t, τt), the verifier checks for
each j whether or not cuj ,j = Csj (σj), cvj ,j = Cs′j (τj), and σj 6= τj
and both σj and τj are in {1, 2, 3}. If all conditions hold, then theverifier accepts. Otherwise, it rejects.
• ♣Expected Polynomial-Time Simulator.
S1. Extracting the query edges: M∗ generates a sequence of t ·n randomcommitments to dummy values (e.g. all values equal to 1) and feedsit to V ∗. In case V ∗ replies by revealing correctly a sequence of tedges, denoted by (u1, v1), . . . , (ut, vt), the simulator records theseedges and proceeds to the next step. In case the reply of V ∗ is nota valid revealing of the commitment message, the simulator outputsthe current view of V ∗ (G, r,m and the dummy values committed).
S2. Repeat Step S1 until a fixed (polynomial-in-|G|) number of correctV ∗ revelations are reached and then go to the next step (Namely,define an estimate as the ratio of the number of successes dividedby the number of trials. Only when the estimate is reached, thesimulation would go to the next step).
66
S3. Generating an interaction that satisfies the query edges. Let (u1, v1),. . . , (ut, vt) denote the sequence of edges recorded in Step S2. Ma-chine M∗ generates a sequence of n · t commitments c1,1, . . . , cn,t,such that for each j = 1, . . . , t it holds that cuj ,j and cvj ,j are ran-dom commitments to two different random values in {1, 2, 3} , andall the other ci,j ’s are random commitments to dummy values. Thesimulator feeds this sequence of commitments to V ∗. If V ∗ repliesby revealing correctly the (previously recorded) sequence of edges,then M∗ can complete the simulation of a real interaction of V ∗.Otherwise, the entire Step S3 is repeated until success is achieved.
• Remarks. The perfect hiding property of the commitment scheme usedby the verifier and the perfect binding property of the commitment usedby the prover guarantees that the prover cannot cheat to the verifier evenif the prover has more complexity than a polynomial-time machine.
4.9.2 Constant-Round Zero-knowledge Arguments
Assume that both the prover and the verifier are probabilistic polynomial-timemachines. The following construct is a round-efficient zero-knowledge argumentin which the verifier uses a perfectly binding and computationally hidingcommitment scheme and the prover uses a non-oblivious perfectly bindingand computationally hiding commitment.
• Construction.
1. Common input. A simple (3-colorable) graph G = (V,E). Let n =|V |, t = n|E| and V = {1, . . . , n}.
2. Auxiliary input to the prover. A 3-coloring of G, denoted ψ.3. Verifier’s preliminary step (V 0). The verifier uniformly and inde-
pendently selects a sequence of t edges, E = ((u1, v1), . . . , (ut, vt)) ∈Et, and sends the prover a random commitment to these edges us-ing a perfectly binding and computationally hiding scheme.Namely, the verifier uniformly selects s ∈ {0, 1}poly(n) and sendsPs(E) to the prover. (Note that the edges in E can be duplicated,because they are chosen independently.)
4. The first step of prover (P 1). The prover randomly selects t permu-tations π1, . . . , πt over {1, 2, 3} and sets φj(v) = πj(ψ(v)) for eachv ∈ V and 1 ≤ j ≤ t. The prover uses a non-oblivious per-fectly binding commitment scheme to commit itself to the colorsof each of the vertices according to each 3-coloring. Namely, theprover uniformly and independently selects s1,1, . . . , sn,t ∈ {0, 1}n,computes ci,j = Csi,j (φj(i)) for each i ∈ V and 1 ≤ j ≤ t, and sendsc1,1, . . . , cn,t to the verifier. In the sub-protocol (non-obliviousperfectly binding commitment), the verifier (the receiver of thecommitment) proceeds to the next step (V 1) only if the prover(thesender)’s non-obliviousness of commitment is assured.
67
5. The first step of the verifier (V 1). The verifier reveals its commit-ments, yielding the sequence E = ((u1, v1), . . . , (ut, vt)). Namely, theverifier sends (s, E) to the prover.
6. The second step of the prover (P 2). The prover checks that themessage received from the verifier is indeed a valid revealing of thecommitment made by the verifier at step V 0. Otherwise the proverhalts immediately. Denote the sequence of the revealed t edges by(u1, v1), . . . , (ut, vt). The prover uses the reveal phase of the perfectlybinding commitment scheme in order to reveal to the verifier, for eachj, the jth coloring of vertices uj and vj . Namely, the prover sends tothe verifier the sequence of quadruples
(su1,1, φ1(u1), sv1,1, φ1(v1)), . . . , (sut,t, φt(ut), svt,t, φt(vt))
7. The second step of the verifier (V 2). The verifier checks whether ornot, for each i, the values in the jth quadruple constitute a correctrevealing of the commitments cu,j and cv,j and whether or not thedecommitted values are different elements of {1, 2, 3} and whether ornot they match the commitments received in Step P 1. Namely, uponreceiving (s1, σ1, s
′1, τ1) through (st, σt, s
′t, τt), the verifier checks for
each j whether or not cuj ,j = Csj (σj), cvj ,j = Cs′j (τj), and σj 6= τj
and both σj and τj are in {1, 2, 3}. If all conditions hold, then theverifier accepts. Otherwise, it rejects.
• Remarks. The computationally hiding property of the commitmentscheme used by the verifier and the non-oblivious property of the com-mitment schemed used by the prover implies that the color assignmentgenerated by the prover is almost independent of the verifier’s commit-ment. Hence, it is hard for the prover to cheat to the verifier.
4.10 Witness Indistinguishability and Hiding
For a language L ∈ NP , a witness relation is defined by a binary relation RL
that is polynomially bounded, is polynomial-time-recognizable and characterizesL by L = {x : ∃ y (x, y) ∈ RL}. Let RL(x) = {y : (x, y) ∈ RL}. Note that alanguage L has infinitely many witness relations. For a fixed relation, therepossibly exist many witnesses for a sentence x ∈ L (i.e. the cardinality of RL(x)can be greater than 1).
In the proof system for a language L with auxiliary input as the witnessof a sentence in L, it is natural to require that after interaction, a verifiershould not be able to different the provers using different witnesses for thecommon input (a sentence of the language) and should not be able to extractthe used witness. Obviously that zero-knowledge proof systems preserve thewitness indistinguishability and hiding properties because they prove nothingmore than the validity of the assertion. However the reverse is not necessarilytrue.
68
4.10.1 Witness Indistinguishability
• Let (P, V ) be an interactive proof system with auxiliary input for a lan-guage L ∈ NP , and let RL be a fixed witness relation for the languageL. We say that (P, V ) is witness-indistinguishable for RL if for ev-ery probabilistic polynomial-time machine V ∗ and every two sequencesW 1 = {w1
x}x∈L and W 2 = {w2x}x∈L, such that w1
x, w2x ∈ RL(x), the
following two ensembles are computationally indistinguishable:
– 〈P (w1x), V ∗(z)(x)〉x∈L,z∈{0,1}∗
– 〈P (w2x), V ∗(z)(x)〉x∈L,z∈{0,1}∗
Namely, for every probabilistic polynomial-time algorithm D, every poly-nomial p(·), all sufficiently long x ∈ L, and all z ∈ {0, 1}∗, it holds that
|Pr[D(x, z, 〈P (w1x), V ∗(z)〉(x)) = 1]−Pr[D(x, z, 〈P (w2
x), V ∗(z)〉(x)) = 1]| < 1p(|x|)
We say that (P, V ) is witness-independent for RL if the foregoingensembles are identically distributed. Namely, for every x ∈ L, everyw1
x, w2x ∈ RL(x) and z ∈ {0, 1}∗, the random variables 〈P (w1
x), V ∗(z)(x)〉and 〈P (w2
x), V ∗(z)(x)〉 are identically distributed.
• Remarks. (1) Proof systems in which the prover ignores its auxiliaryinput are witness independent. (2) Zero-knowledge proof systems are wit-ness independent. (3) Witness indistinguishability does not imply zero-knowledge. (4) Witness independency and witness indistinguishability arepreserved under sequential and parallel composition.
• Strong witness indistinguishability. Let (P, V ) be an interactiveproof system with auxiliary input for a language L ∈ NP , and let RL
be a fixed witness relation for the language L. We say that (P, V ) isstrongly witness-indistinguishable for RL if for every probabilisticpolynomial-time machine V ∗ and every two sequences {(X1
n, Y 1n , Z1
n)} and{(X2
n, Y 2n , Z2
n)}, such that {(Xin, Y i
n, Zin)} ranges over (RL × {0, 1}∗) ∩
({0, 1}n × {0, 1}∗ × {0, 1}∗), the following holds: If {(X1n, Z1
n)}n∈N and{(X2
n, Z2n)}n∈N are computationally indistinguishable, then so are
{〈P (Y 1n ), V ∗(Z1
n)〉(X1n)}n∈N and {〈P (Y 2
n ), V ∗(Z2n)〉(X2
n)}n∈N .
• Let (P, V ) be an auxiliary-input zero-knowledge proof system for a lan-guage L ∈ NP . Then (P, V ) is strongly witness-indistinguishable.
• Parallel Composition. Let L ∈ NP and let RL be a fixed witness re-lation for the language L. Suppose that P is probabilistic polynomial-timeand (P, V ) is witness-indistinguishable (resp. strongly witness-indistinguishableand witness-independent) for RL. Let Q(·) be a polynomial, and let PQ
be a program that, on common input x1, . . . , xQ(n) ∈ {0, 1}n and aux-iliary input w1, . . . , wQ(n) ∈ {0, 1}∗, invokes P in parallel Q(n) times,so that in the ith copy P is invoked on common input xi and auxiliary
69
input wi. Then PQ is witness indistinguishable (resp. strongly witness-indistinguishable and witness-independent) for
RQL = {(x, m) : ∀ i(xi, wi) ∈ RL}
where x = (x1, . . . , xQ(n)) and w = w1, . . . , wQ(n), such that |xi| = n foreach i.
• Construction. Based the two preceding theorems, assuming the exis-tence of (non-uniformly) one-way functions, every language in NP has aconstant-round (strongly) witness-indistinguishable proof system withnegligible error probability. In fact, the error probability can be madeexponentially small.
4.10.2 Witness Hiding
• Hard Instances. Each NP language has instances for which witness-finding is easy. Witness hiding can only guarantee that after interactingwith the prover using those witness which are hard to find, the verifiercannot find the used witness. Let L ∈ NP , and let RL be a witness relationfor L. Let X = {Xn}n∈N be a probability ensemble such that Xn rangesover L ∩ {0, 1}n. We say that X is hard for RL if for very probabilisticpolynomial-time (witness-finding) algorithm F , every polynomial p(·), allsufficiently large n’s, and all z ∈ {0, 1}poly(n),
Pr[F (Xn, z) ∈ RL(Xn)] <1
p(n)
• Witness-Hiding. Let L ∈ NP , and let RL be a witness relation forL. Let X = {Xn}n∈N be a hard-instance ensemble for RL. We saythat (P, V ) is witness-hiding for RL under the instance ensemble X if forevery probabilistic polynomial-time machine V ∗, every polynomial p(·),all sufficiently large n’s, and all z ∈ {0, 1}∗,
Pr[〈P (Yn), V ∗(z)〉(Xn) ∈ RL(Xn)] <1
p(n)
• Universally witness-hiding. Let L ∈ NP , and let RL be a witnessrelation for L. We say that (P, V ) is universally witness-hiding for RL
if for every efficiently constructible hard-instance ensemble X of RL, ev-ery probabilistic polynomial-time machine V ∗, every polynomial p(·), allsufficiently large n’s, and all z ∈ {0, 1}∗,
Pr[〈P (Yn), V ∗(z)〉(Xn) ∈ RL(Xn)] <1
p(n)
• We can extend the preceding definitions to enable the auxiliary inputof the algorithms be a distribution Zn which is related to Xn. Then
70
ensemble (Xn, Zn) is hard for RL if for every probabilistic polynomial-time algorithm F , the probability that F (Xn, Zn) ∈ RL(Xn) is negligi-ble. The system (P, V ) is witness-hiding for RL under {(Xn, Zn)}n∈N iffor every probabilistic polynomial-time verifier V ∗, the probability that〈P (Yn), V ∗(Zn)〉(Xn) ∈ RL(Xn) is negligible.
• Construction. Not all the witness indistinguishable proofs are witnesshiding proofs (a trivial case is that the proof has only one witness. Hencethe proof is obviously witness indistinguishable, however, possibly theproof will leak the witness to the verifier). However for some relations,the reduction does hold.
– Let {f0i , f1
i }i∈I be a collection of (non-uniform) claw-free functions,and let R = {(x,w) : w = (σ, r) ∧ x = (i, x′) ∧ x′ = fσ
i (r)} (i.e.{((i, f0
i (r)), (0, r))∨ ((i, f1i (r)), (1, r)) : r = D(0, i)∨ r = D(1, i)}i∈I).
Suppose that P is a probabilistic polynomial-time interactive ma-chine that is witness-indistinguishable for R. Then P is also witness-hiding for R under the distribution generated by setting i = I(1n)and x′ = f0
i (D(0, i)), where I and D are the index algorithm and thedomain sample algorithm of the function collection.
– Let R be an NP -relation and R2 = {((x1, x2), w) : |x1| = |x2| ∧∃i s.t. (xi, w) ∈ R}, and let P be a probabilistic polynomial-time in-teractive machine that is witness-indistinguishable for R2. Then Pis witness-hiding for R2 under every distribution of pairs of hard in-stances induced by an efficient algorithm that randomly selects pairsin R. That is: Let S be a probabilistic polynomial-time algorithmthat on input 1n outputs (x,w) ∈ R, so that |x| = n and Xn denotesthe distribution induced on the first element in the output of S(1n).Suppose that {Xn}n∈N is an ensemble of hard instances for R. ThenP is witness-hiding under the ensemble {X(1)
n , X(2)n }n∈N , where X
(1)n
and X(2)n denote two independent copies of Xn.
• An Example.
– Common input. A index recognizable instance of discrete logarithminstance (g, p, c, x1, x2) where p is a prime, g is the generator of Zp, cis the factorization of p − 1 (also called certificate of the instance,through which, the index is recognizable. Namely, to determinewhether g is a generator can be done efficiently), x1 and x2 are twoelements of Zp such that gw1 = x1 mod p and gw2 = x2 mod p.
– The auxiliary input to the prover: w1 and w2.
– Prover’s first step (P 1). The prover randomly and independentlychooses two elements from Zp: r1 and r2 and computes y1 = x1g
r1
mod p and y2 = x2gr2 mod p. The prover sends y1 and y2 to the
verifier.
71
– Verifier’s first step (V 1). The verifier uniformly choose σ ∈ {0, 1}and sends σ to the prover.
– Prover’s second step (P 2). Upon receiving the message σ, if σ = 0,then the prover sends r1 and r2 to the verifier. Otherwise, the proverrandomly decides to reveal the discrete log of one of the y’s (i.e.w1 + r1 mod (p− 1) or w2 + r2 mod (p− 1)).
– Verifier’s second step (V 2). If σ = 0, then the verifier checks that r1
and r2 are the valid revelation, otherwise, checks that the receivedmessage is a valid discrete log of y1 or y2 received in Step P 1.
4.11 Composition of Zero-Knowledge Systems
4.11.1 Parallel Composition
• Parallel Composition. In this case, (polynomially) many instances ofthe protocol are invoked at the same time and proceed at the same pace.That is, we assume a synchronous model of communication, and consider(polynomially) many executions that are totally synchronized so that theith message in all instances is sent exactly (or approximately) at the sametime.
• Zero-Knowledge proof class is not close under parallel compo-sition. Consider a party P holding a random (or rather pseudorandom)function f : {0, 1}2n → {0, 1}n, and willing to participate in the followingprotocol (with respect to security parameter n). Another party, called Afor adversary, is supposed to send P a binary value v ∈ {1, 2} specifyingwhich of the following cases to execute:
For v = 1 : Party P uniformly selects α ∈ {0, 1}n, and sends it to A,which is supposed to reply with a pair of n-bit long strings, denotedβ, γ. Party P checks whether or not f(αβ) = γ. In case equalityholds, P sends A some secret information.
For v = 2 : Party A is supposed to uniformly select α ∈ {0, 1}n, andsends it to P , which selects uniformly β ∈ {0, 1}n, and replies withthe pair (β, f(αβ)).
Observe that P ’s strategy is zero-knowledge (even w.r.t auxiliary-inputs).However, if the adversary A can conduct two concurrent executions withP , then it may learn the desired secret information: In one session, Asends v = 1 while in the other it sends v = 2. Upon receiving P ’smessage, denoted α, in the first session, A sends α as its own message inthe second session, obtaining a pair (β, f(αβ)) from P ’s execution of thesecond session. Now, A sends the pair (β, f(αβ)) to the first session of P ,this pair passes the check, and so A obtains the desired secret.
72
• More concise conclusion. Although, in general, zero-knowledge is notclosed under parallel composition, under standard intractability assump-tions (e.g., the intractability of factoring), there exist zero-knowledge pro-tocols for NP that are closed under parallel composition. Furthermore,these protocols have a constant number of rounds. Under standardintractability assumptions, every NP-set has a constant-roundparallel-zero-knowledge proof.
• Construction. Refer to Section 4.9, in which constant-round zero-knowledgeprotocols are constructed in parallel composition.
4.11.2 Concurrent Composition
Polynomial many instances of the protocol are invoked at arbitrary times andproceed at arbitrary pace.
• Pure asynchronous model (Richardson and Kilian’s construction[12])
– Common input. a security parameter k and x ∈ L such that L ∈ NP .
– Prover’s auxiliary input. an NP -witness w for x ∈ L.
– Stage 1.
1. The verifier commits to k uniformly selected k-bit strings, using atwo-round perfectly-hiding commitment scheme. That is,the prover acting as a receiver, sends the first message, to whichthe verifier responds by uniformly selecting v1, . . . , vk ∈ {0, 1}k,and sending to the prover its commitment to each of the vi’s.Denote by β = β1, . . . , βk the sequence of k commitments sentby the verifier.
2. For i = 1, . . . , k, the following two-round interaction goes on.(a) The prover uses a perfect-binding commitment to com-
mit to a random k-bit string, denoted pi.(b) The verifier decommits to βi by providing vi along with the
randomness used in forming βi from vi.
– Stage 2. The prover provides a proof that either x ∈ L or vi = pi,for some i. The NP -witness used by the prover is w. Here any WIproof can by applied. If we use the G3C proof, we first need to usethe standard reduction to convert the problem x ∈ L to an instanceof G3C. Then we can apply the G3C proof now.
• Remarks. The above protocol preserves the zero-knowledge propertyrunning concurrently even in pure asynchronous model.
• Conclusion.
73
– Under standard intractability assumptions, every language in NPhas a concurrent zero-knowledge proof with almost-logarithmicallymany rounds. The zero-knowledge property can be demonstratedusing a black-box simulator.
– Black-box simulator cannot demonstrate the zero-knowledge prop-erty of non-trivial proofs (or arguments) have significantly less thanlogarithmically many rounds.
– Using non-black-box simulator, constant-round zero-knowledge ar-guments (rather than proofs) for NP that maintain security as longas an a-priori bounded (polynomial) number of execution take placeconcurrently.
• Timing model (Dwork, Naor and Sahai’s construction [8]). Thetiming model assumes that in the system, each party has a local clocksuch that the relative clock rates are bounded by a prefixed constant. Theparties can time-out incoming messages and delay out-going messages.Although the timing model has disadvantages over the pure asynchronousmodel, it has a significant advantage: round-efficiency. Constant-roundconcurrent zero-knowledge arguments and proofs can be constructed inthe timing model.
• Remarks. By applying some set-up assumptions, instead of the timingmodel, constant-round concurrent zero-knowledge are constructible [6][7].
4.12 Proofs of Knowledge
4.12.1 Definitions and Examples
Intuitively, a two-party protocol constitutes a “system for proofs ofknowledge” if “whenever” the verifier is “convinced” then the proverindeed knows “something”. [4]
More precisely, for simplicity to restrict an interactive proof system for a lan-guage LR ∈ NP defined by relation R (proofs of knowledge are not restrictedto languages in NP ), if the verifier is convinced that x ∈ LR, then the provershould know the witness w of x. (i.e. (x,w) ∈ R). The fundamental problem ishow to capture the notion that “the prover knows the witness”. Namely, howcan the verifier be assured that if she follows the protocol, no matter who (anyparty plays the role of the prover) convinces her that an instance x is a memberof LR, the party (who plays the role of the prover) “knows” the witness w.Hence the proof of knowledge property of an interactive proof system basicallyonly relates to the ability of the verifier against the cheating provers. So theproof of knowledge notion seems to be the complement of the zero-knowledgeproof which addresses the prover’s ability against the cheating verifiers to ex-tract other knowledge apart from the validity of the assertion.
74
• The meaning of “know”. The prover should “know” the witness wif it can convince the verifier the assertion. Here we use a more generaldefinition of “know” which includes “exactly know” and “be able to know”(a prover is able to use its own computation ability to find the witnesseven it does not get the witness from the auxiliary input directly). Howto capture the notion of “the prover knows the witness” is explained inthe following specific examples. Generally, it is required that the proverstrategy can be “effectively” modified to output the witness. “Effectively”here means in polynomial-time steps but counting one invocation of theprover as a single step. Note that if we interpret “effectively” here asusing the same computation power as the prover strategy but still countingone invocation of the prover as a single step, the newly modified provercan possibly achieve much stronger computation power than the originalone. Only when the original prover is polynomial-time bounded, the latterinterpretation is reasonable.
• NP-relation. A language defined by a relation R: LR = {x : ∃ s(x, s) ∈R}. s is called the solution (in NP it is called a witness) for x. R isan NP -relation if R is polynomially bounded (there exists a polynomial psuch that |s| ≤ p(|x|) for all (x, s) ∈ R) and there exists a polynomial-timealgorithm for deciding membership in R.
• Message-Specification Function. Denote by Px,y,r(m) the messagesent by machine P on common input x, auxiliary input y and random inputr, after receiving messages m. The function Px,y,r is called the messagespecification function of machine P with common input x, auxiliary inputy and random input r.
• Remark. It is very important to note that in the message specificationfunction Px,y,r the random input r is fixed when the function is invokedseveral times (it sometimes is called “hard wired” random). In fact, it ismore precisely to use another notation: P σ
x,y(m). When σ = 1, P 1x,y(m)
will use new random input r (continue to move the header of therandom input tape to read the content) to evaluate Px,y,r(m). If σ =0, P 0
x,y(m) use last time random input r (move the header of therandom input tape back to the position before last invocation and thenmove the header forward to read the content) to evaluate Px,y,r(m). Thisformalization is fundamental in defining the proof of knowledge. It is nota strict black-box oracle (i.e. only passing inputs and getting outputs).
• System of proof of knowledge: Let R be a binary relation and k : N →[0, 1]. We say that an interactive function V is a knowledge verifier forthe relation R with knowledge error k if the following two conditions hold:
– No-triviality: There exists an interactive machine P such that forevery (x, y) ∈ R all possible interactions of V with P on commoninput x and auxiliary input y are accepting.
75
– Validity with error k: There exists a polynomial q(·) and a proba-bilistic oracle machine K such that for every interactive function P ,every x ∈ LR, and every y, r ∈ {0, 1}∗, machine K satisfies the fol-lowing condition: Denote by p(x, y, r) the probability that the inter-active machine V accepts, on input x, when interacting with proverspecified by Px,y,r. If p(x, y, r) > k(|x|), then, on input x and withaccess to oracle Px,y,r, machine K outputs a solution s ∈ R(x) withinan expected number of steps bounded by q(|x|)
p(x,y,r)−k(|x|) .
The oracle machine K is called a universal knowledge extractor.When k(·) is identically zero, we simply say that V is a knowledge verifierfor the relation R. An interactive pair (P, V ) such that V is a knowledgeverifier for a relation R and P is a machine satisfying the non-trivialitycondition with respect to V and R is called a system for proof of knowl-edge for the relation R.
• Validity with error k, alternative formulation. V satisfies the alter-native validity condition with error k if there exists a probabilistic oraclemachine K and a positive polynomial q such that on input x and withaccess to oracle Px,y,r machine K runs in expected polynomial time andoutputs a solution s ∈ R(x) with probability at least p(x,y,r)−k(|x|)
q(|x|) .
• The equivalency of two definitions. Let R be an NP -relation andlet V be an interactive machine. Referring to this relation R, machine Vsatisfies with error k the validity condition of the first definition if andonly if V satisfies with error k the alternative validity condition of thesecond definition.
• Remarks. (1) This definition is different from some other definitions inthe literature in a key way. This definition treats all possible values ofp(x, y, r) in a “uniform” fashion. Note that p(x, y, r) can be not neg-ligible and at the same not noticeable. Other definitions in theliterature treat all the values that are not noticeable as negligible. Wenote that is not satisfactory. (For example f(n) = 2−n if n is odd (negli-gible) and f(n) = n−2 otherwise (noticeable)). (2) In the definition thereis no requirement regarding the soundness condition. There is a defini-tion related to soundness in [4]. (3) There is no restriction on the proverto be polynomial-time machine, but obviously the prover is not a ma-chine without time bound. (4) It is more natural to treat the verifier tobe an interactive algorithm that can be implemented by a probabilisticpolynomial-time interactive machine, because when the protocol is usedas a sub-protocol, the party plays the role of the verifier may be a morepowerful machine.
• Knowledge error can be reduced. Let R be a polynomially boundedrelation, and let t : N → N be a polynomially bounded function. Sup-pose that (P, V ) is a system of proof of knowledge for the relation R
76
with knowledge error k. Then the proof system that results by repeating(P, V ) sequentially t(|x|) times on common input x is a system of proofof knowledge for the relation R with knowledge error k′(n) = k(n)t(n).For some zero-knowledge proof of knowledge, the knowledge error can bereduced exponentially in parallel repetitions,, although the new proofcannot necessarily achieve the zero-knowledge property.
• Knowledge error can be removed. Let R be an NP -relation, and letq(·) be a polynomial such that (x, y) ∈ R implies |y| ≤ q(|x|). Suppose that(P, V ) is a system of proof of knowledge for the relation R, with knowledgeerror k(n) = 2−q(n). Then (P, V ) is a system of proof of knowledge forthe relation R with zero error.
• System of Strong Proof of Knowledge. Let R be a binary relation.We say that an interactive function V is a strong knowledge verifier forthe relation R if the following two conditions hold:
– No-triviality: There exists an interactive machine P such that forevery (x, y) ∈ R all possible interactions of V with P on commoninput x and auxiliary input y are accepting.
– Strong Validity: There exists a negligible function µ : N →[0, 1] and a probabilistic strict-polynomial-time oracle machine Ksuch that for every interactive function P and every x, y, r ∈ {0, 1}∗,machine K satisfies the following condition: Denote by p(x, y, r) theprobability that the interactive machine V accepts, on input x, wheninteracting with the prover specified by Px,y,r. If p(x, y, r) > µ(|x|),then on input x and access to oracle Px,y,r, machine K outputs asolution s ∈ R(x) with probability at least 1− µ(|x|)
The oracle machine K is called a strong knowledge extractor. Aninteractive pair (P, V ) such that V is a strong knowledge verifier for arelation R and P is a machine satisfying the non-triviality condition withrespect to V and R is called a system of strong proof of knowledge for therelation R.
• Remarks. The strong validity requirement implies that x /∈ LR is ac-cepted by the verifier with probability at most µ(x).
• Zero-knowledge proofs of knowledge for NP . Assuming the ex-istence of (non-uniformly) one-way functions, every NP -relation has azero-knowledge system of proof of knowledge. Furthermore, inputs not inthe corresponding language are accepted by the verifier with exponentiallyvanishing probability.
• Some examples.
– Strong knowledge extractor for Graph Isomorphism. Thepresented zero-knowledge proof of GI in this chapter is a proof of
77
knowledge (i.e. the prover knows the witness of the common in-put: the isomorphism of two graphs) at the same time. When weuse the strong proof of knowledge definition, we needs to constructa strong knowledge extractor. To construct such extractor, we canonly use the prover in an oracle way (passing inputs to the proveralgorithm and getting the output messages). However note that inthe real interaction, the verifier also uses the prover in an oracle way.Obviously, two oracle ways must have some essential difference. Oth-erwise, if the knowledge extractor can extract the witness, so doesthe verifier, then the proof system is not zero-knowledge. Recall thatthe requirement of proof of knowledge is to construct an effectiveextractor by modifying the prover strategy. (Note that here “effec-tive” means in polynomial-time but counting an oracle invocation asa single step.) Because the common belief of the hardness of the“reverse-engineering” problem, we cannot change the behavior of theprover strategy dramatically. However, we indeed can use the strat-egy in a more significant way than simply passing inputs and gettingoutputs. First let us look at a construction of extractor for GI. Oninput (G1, G2) and access to the prover-strategy oracle P ∗, the fol-lowing steps are iterated n times, starting with i = 1. Initially T(the transcript so far) is empty.
1. Obtain the intermediate graph G′ from the prover strategy (i.e.G′ = P ∗(T )).
2. Extract the prover’s answers to both possible verifier moves.That is, for j = 1, 2, let ψj = P ∗(T, j). We say that ψj iscorrect if it is an isomorphism between Gj and G′.
3. If both ψj ’s are correct, then φ = ψ−12 ψ1 is an isomorphism
between G1 and G2. In this case we output φ and halt.4. In case ψj is correct for single j, and i < n, we let T ← (T, j)
and proceed to the next iteration (i.e. i ← i + 1). Otherwise, wehalt, with no output.
The fundamental difference between the verifier’s access to theprover’s strategy and the extractor’s access to the prover’s strategyis in Step 2. In the real interaction, in one iteration, the verifiercannot query the prover twice. Let use represent Step 2 using thealternative definition of message specification function. Step 2′. Ex-tract the prover’s answers to both possible verifier moves. That is,let ψ1 = P ∗0(T, 1) and ψ2 = P ∗1(T, 2). More formally, the knowl-edge extractor can be implemented by an interactive Turning machinewhich has the access to the prover’s interactive machine and proceedsfollowing the above four steps. The extractor machine shares its ran-dom tape with the prover machine. In Step 2, in each interaction,before the second invocation of the prover (running the prover’s ma-chine), the extractor machine moves the header of the random tapeback to the position before the first invocation. Only with control of
78
the prover’s machine, a party can complete such work. The verifierhas no such control of the prover. Basically the extractor machineis an effective extension of the prover itself. This extension does notgive the prover new ability from the point of view of computationcomplexity. Now let us analyze the probability that the extractoroutputs the witness with hypothesis that the verifier accepts thatthe graphs are isomorphic with probability greater than 2−n. (1) Ifthe extractor halts with no output in any iteration i < n, the veri-fier accepts with probability zero. (2) If the extractor halts with nooutputs in iteration n, then the verifier accepts with probability atmost 2−n (the cheating prover is so luck that it guesses correctly allthe n queries from the verifier. This only happens with probabilityat most 2−n). Overall, if p((G1, G2), ·, ·) > 2−n then the extractorsucceeds in recovering an isomorphism between two input graphs.
– Strong zero-knowledge proof of knowledge for NP -relation:Hamiltonian-cycle.
∗ Common input: a directed graph G = (V,E), with n = |V |.∗ Auxiliary input to prover: a directed Hamiltonian cycle C ⊂ E,
in G.∗ Prover’s first step (P 1): The prover selects a random permuta-
tion π of the vertices V and commits to the entries of the adja-cency matrix of the resulting permuted graph. That is, it sendsan n-by-n matrix of commitments such that the (π(i), π(j)) en-try is a commitment to 1 if (i, j) ∈ E and is a commitment to 0otherwise.
∗ Verifier’s first step (V 1): The verifier uniformly selects σ ∈ {0, 1}and sends it to the prover.
∗ Prover’s second step (P 1): If σ = 0, the prover sends π to theverifier along with the revealing of all commitments of entries inthe matrix. Otherwise, the prover reveals to the verifier only thecommitments to entries (π(i), π(j)), with (i, j) ∈ C.
∗ Verifier’s second step (V 2): If σ = 0, then the verifier checks thatthe revealed graph is indeed isomorphic, via π to G. Otherwise(i.e. σ = 1), the verifier simply checks that all revealed valuesare 1 and the corresponding entries form a simple n-cycle. (Inboth case, the verifier should check that the revealed values dofit the commitments.) The verifier accepts if and only if thecorresponding condition holds.
4.12.2 Application of Proofs of Knowledge
• A zero-knowledge proof system for Graph Non-Isomorphism.The proof system of GNI so far is not zero-knowledge. The cheatingverifier can construct an arbitrary graph H (or get H from its auxiliaryinput) and learn whether or not H is isomorphic to the first input graph.
79
However, we can modifies the proof system by forcing that the verifiermust know an isomorphism between H and an input graph using a proof ofknowledge as a sub-protocol. Only after being convinced that the verifierknows the isomorphism, the prover would answer the query. Then the newprotocol would be a zero-knowledge proof. The following is a constructionof the proof of knowledge of isomorphism. This is the first proof systemso far with no perfect completeness.
1. Common input: Three graphs G1 = (V1, E1), G2 = (V2, E2) andH = (VH , EH).
2. Auxiliary input to prover: τ ∈ {1, 2} and an isomorphism φ betweenH and Gτ
3. Prover’s first step (P 1): The prover uniformly choose i from {1, 2}and selects a random isomorphic copy of Gi and sends it to the ver-ifier. Namely, the prover chooses at random, with uniform probabil-ity distribution, a permutation π from the set of permutations overthe vertex set Vi. The prover constructs an isomorphic copy of Gi:(Vi, F ) where F = {(π(u), π(v)) : (u, v) ∈ Ei} and sends the copy tothe prover
4. Verifier’s first step (V 1): Upon receiving a graph G′ = (V ′, E′) fromthe prover, the verifier uniformly choose σ ∈ {0, 1} and sends σ.
5. Prover’s second step (P 2): Upon receiving σ, if σ = 0, the proversends the permutation π and i to the verifier. Otherwise if i = τthe prover sends the permutation π ◦ φ and i = 3 to the verifier.Otherwise (i.e. i 6= τ), the prover halts the proof, because it cannotanswer the query (or it answer the query as in the case of σ = 0).
6. Verifier’s second step (V 2): Upon receiving the message, an isomor-phism, denoted ψ, and an integer i, if σ = 0, the verifier checks if ψ isan isomorphism between Gi and G′ or checks if ψ is an isomorphismbetween H and G′ otherwise. If the the received message passes thecheck, then the verifier outputs 1; otherwise it outputs 0.
• Remarks. (1) The completeness probability is 34 and the soundness prob-
ability is 12 . (2) The proof is zero-knowledge for the assertion that H is
isomorphic to at least one graph of two inputs G1 and G2. (More for-mally, the membership problem of a language defined by relation R2 ={(x1, x2, w) : |x1| = |x2| ∧ ∃ i s.t. (xi, w) ∈ R} where R is a relation ofgraph isomorphism.) (3) From the witness indistinguishability theorem,we know that the sequential or parallel composition of the preceding proofresults in a witness-indistinguishable proof which is also a witness hidingproof for relation R2. (3) In the zero-knowledge proof of GNI, we onlyneed the witness indistinguishability property of the proof of knowledge.The prover of GNI plays the role of a verifier in the proof of knowledgefor GI.
• Non-oblivious commitment. See the commitment section.
80
• Proofs of Identity.
– Identification Scheme. An identification scheme consist of a pair(I,Π), where I is a probabilistic polynomial-time algorithm and Π =(P, V ) is a pair of probabilistic polynomial-time interactive machinessatisfying the following conditions:
∗ Validity: For every n ∈ N , every α ∈ {0, 1}n, and every s ∈{0, 1}poly(n),
Pr[〈P (s), V 〉(α, Is(α)) = 1] = 1
∗ Security: For every pair of probabilistic polynomial-time inter-active machines B′ and B′′, every polynomial p(·), all sufficientlylarge n ∈ N , every α ∈ {0, 1}∗, and every z,
Pr[〈B′′(z, Tn), V 〉(α, Is(α)) = 1] <1
p(n)
where Sn is a random variable uniformly distributed over {0, 1}poly(n)
and Tn is a random variable describing the output of B′(z) af-ter interacting with P (Sn), on common input (α, ISn(α)), forpolynomially many times.
Algorithm I is called the information-generating algorithm, and thepair (P, V ) is called the identification protocol.
• Remarks. A system that merely satisfies the definition is not a goodidentification scheme in many contexts. An obvious weakness of the defi-nition is that a system following the definition is not secure when runningconcurrently.
• Construction based on a one-way function. Let f be a one-wayfunction. On input an identity α ∈ {0, 1}n, the information-generatingalgorithm uniformly selects a string s ∈ {0, 1}n and outputs f(s) (Hence,(α, f(s)) is the public record for the user name α.) The identificationprotocol Π consists of a proof of knowledge of the inverse of the secondelement in the public record. Namely, in order to prove its identity, user αproves that it knows a string s such that f(s) = r, where (α, r) is a recordin the public file.
– The Fiat-Shamir Identification Scheme. On input an identityα ∈ {0, 1}n, the information-generating algorithm uniformly selectsa composite number N that is the product of two n-bit-long primesand a residue s mod N , and it outputs the pair (N, s2 mod N). (Thepair (α, N, s2 mod N)) is the public record for user α.) The identifi-cation protocol consists of a proof of knowledge of the correspondingmodular square root. The proof of knowledge can be constructed asfollows. On the common input (r,N), where the prescribed proverhas auxiliary input s such that r ≡ s2 mod N .
81
1. The prover randomly selects a residue g modulo N and sendsh = g2 mod N to the verifier.
2. The verifier uniformly selects σ ∈ {0, 1} and sends it to theprover.
3. The prover replies with a = g · sσ mod N .4. The verifier accepts if and only if the message h and a sent by
the prover satisfy a2 = g · rσ mod N .
4.13 Non-Interactive Zero-Knowledge
With an extra uniformly distributed reference string, a pair of machines (P, V )consists of a non-interactive system in which only the prover sends a messageto the verifier.
• Non-interactive proof system. A pair of probabilistic machines (P, V )is called a non-interactive proof system for a language L if V is polynomial-time and the following two conditions hold:
– Completeness: For every x ∈ L, Pr[V (x,R, P (x,R)) = 1] ≥ 23 , where
R is a random variable uniformly distributed in {0, 1}poly(n).– Soundness: For every x /∈ L and every interactive machine B,
Pr[V (x, R, B(x,R)) = 1] ≤ 13 , where R is a random variable uni-
formly distributed in {0, 1}poly(n).
The uniformly chosen string R is called the common reference string.
• Non-interactive Zero-knowledge. A non-interactive proof system (P, V )for a language L is zero-knowledge if there exists a polynomial p anda probabilistic polynomial-time algorithm M such that the ensembles{x,Up(|x|), P (x, Up(|x|))}x∈L and {M(x)}x∈L are computationally indis-tinguishable, where Um is a random variable uniformly distributed over{0, 1}m.
• Remarks. (1) The proof system preserves zero-knowledge when appliedpolynomially many times with the same common reference string. (2) Theadversarial verifier is not adaptive (i.e. the common input x is not chosenafter the common reference string R is fixed).
• Adaptive version. Let (P, V ) be a non-interactive proof system for alanguage L.
– Adaptive soundness: we say that (P, V ) is adaptive sound if for everyn and every pair of functions Ξ : {0, 1}poly(n) → ({0, 1}n\L) andΠ : {0, 1}poly(n) → {0, 1}poly(n),
Pr[V (Ξ(R), R, Π(R)) = 1] ≤ 13
where R is a random variable uniformly distributed in {0, 1}poly(n).
82
– Adaptive zero-knowledge: We say that (P, V ) is adaptively zero-knowledge if there exist two probabilistic polynomial-time algorithmsM1 and M2 such that for every function Ξ : {0, 1}poly(n) → ({0, 1}n∩L) the ensembles {(Rn,Ξ(Rn), P (Ξ(Rn), Rn))}n∈N , and {MΞ(1n)}n∈N
are computationally indistinguishable, where Rn is a random variableuniformly distributed in {0, 1}poly(n) and MΞ(1n) denotes the outputof the following randomized process:
∗ (r, s) ← M1(1n)∗ x ← Ξ(r)∗ π ← M2(x, s)∗ Output (r, x, π)
Namely, M1 generates a pair (r, s) consisting of a supposedly commonreference string r and auxiliary information s to be used by M2.The latter, given an adaptively selected input x and the auxiliaryinformation s, generates an alleged proof π. x can depend on r, butnot on s.
• Hidden-bits proof system. A pair of probabilistic machines (P, V ) is ahidden-bits proof system for L if V is polynomial-time and the followingtwo conditions hold:
– Completeness: For every x ∈ L, Pr[V (x,RI , I, π) = 1] ≥ 23 , where
(I, π) = P (x,R) is a random variable uniformly distributed in {0, 1}poly(n),and RI is the sub-string of R at positions I ⊆ {1, 2, . . . , poly(|x|)}.That is RI = ri1 , . . . , rit and I = {i1, . . . , it}.
– Soundness: For every x /∈ L and every interactive machine B,Pr[V (x, RI , B(x,R)) = 1] ≤ 1
3 , (I, π) = B(x,R) is a random variableuniformly distributed in {0, 1}poly(n), and RI is the sub-string of Rat positions I ⊆ {1, 2, . . . , poly(|x|)}.
In both cases, I is called the set of revealed bits and π is called the certifi-cate. Zero-knowledge is defined as before, with the exception that we needto simulate (x,RI , P (x, R)) = (x,RI , I, π) rather than (x,R, P (x,R)).
• A hidden-bits system for HC.
– Common input: A directed graph G = (V, E) with n = |V |.– Common reference string: Viewed as an n3-by-n3 boolean matrix
M , with each entry being 1 with probability n−5. (Breaking thecommon reference string into blocks of length 5log2n and setting amatrix entry to 1 if and only if the corresponding block is all 1’s.)
– Definitions: A permutation matrix is a matrix in which each row(resp. column) contains a single entry of value 1. A Hamiltonianmatrix is a permutation matrix that corresponds to a simple directedcycle going through all rows and columns. An n3-by-n3 matrix is
83
called useful if it contains a generalized n-by-n Hamiltonian sub-matrix and all other n6−n2 entries are 0. That is, a useful n3-by-n3
matrix contains exactly n 1-entries that form a simple n-cycle.
– Prover: Let C be a Hamiltonian cycle in G, in case such exists. Theprover examines the matrix M and acts according to the followingtwo cases:Case 1: M is useful. Let H denote its Hamiltonian n-by-n sub-matrixand CH the corresponding Hamiltonian cycle in H.
∗ The prover reveals all (n6 − n2) entries in M that are not in H.∗ The prover finds a 1-1 mapping, π1, of V to the rows of H, a 1-1
mapping, π2, of V to the columns of H, so that the edges of Care mapped to the 1-entries of H.
∗ The prover reveals the (n2 − |E|) entries corresponding to non-edges of G.
∗ The prover outputs the mapping pair (π1, π2)
Case 2: M is not useful. The prover reveals all entries of M .
– Verifier: Given the revealed entries and possibly a certificate, theverifier acts according to the following two cases:Case 1: The prover has not revealed all entries in M . Let (π1, π2) bethe certificate sent by the prover. The verifier checks that all entriesin M that do not have pre-images under (π1, π2) in E are revealedand are indeed zero. That is, the verifier accepts if all matrix entries,except for the entries in {(π1(u), π2(v)) : (u, v) ∈ E}, are revealedand all revealed bits are 0.Case 2: The prover has revealed all of M . In this case the verifieraccepts if and only if M is not useful.
• Construction of non-interactive proof. Let (P, V ) be a hidden-bits proofsystem for L, and suppose that f is one-way permutation f : {0, 1}∗ →{0, 1}∗ and the hard-core bit b : {0, 1}∗ → {0, 1}. Let m = poly(n) denotethe length of the common reference string for common inputs of length n.The following is a zero-knowledge non-interactive proof system (P ′, V ′).
– Common input: x ∈ {0, 1}n
– Common reference string: s = (s1, . . . , sn) where each si is in {0, 1}n
– Prover (denoted P ′)
1. computes ri = b(f−1(si)) for i = 1, 2, . . . ,m
2. invokes P to obtain (I, π) = P (x, r1, . . . , rm)3. outputs (I, π, pI) where pI = (f−1(si1) · · · f−1(sit)) for I =
(i1, . . . , it).
– Verifier (denoted V ′): Given the prover’s output (I, π, (p1 · · · pn)),the verifier
1. checks that sij = f(pj) for each ij ∈ I.
84
2. computes ri = b(pi) for i = 1, . . . , t, let r = r1, . . . , rt,3. invokes V on (x, r, I, π) and accepts if and only if V accepts.
• Theorem. Assuming the existence of one-way permutations, each languagein NP has a zero-knowledge non-interactive proof system. Furthermore,assuming the existence of families of trapdoor permutations, each languagein NP has a zero-knowledge non-interactive proof system in which theprover can be implemented by a probabilistic polynomial-time machinethat gets an NP witness as auxiliary input.
4.14 Multi-Prover Zero-Knowledge Proofs
In an interactive proof system, there is one verifier but more than one prover(two provers, use of more provers would not offer any essential advantage).These provers have the same strategy, the same common input, auxiliary inputand share the random input tape. However, these provers do not share othertapes, hence cannot communicate with each other. We can construct perfectzero-knowledge proof systems for NP in the multi-prover paradigm without anycomplexity-theoretic assumption.
• Two partner model. The two-partner model consists of three interactivemachines, two called partners and the third called the solitary, that arelinked and interact as hereby specified:
– The input tapes of all three parties coincide, and their content iscalled the common input.
– The random tapes of the two partners coincide and are called thepartners’ random tape.
– The solitary has two pairs of communication tapes and two switchtapes, instead of a single pair of communication tapes and a singleswitch tape.
– The two partners have the same identity, and the solitary has anopposite identity.
– The first (resp. second) switch tape of the solitary coincides with theswitch tape of the first (resp. second) partner, and the first (resp.second) read-only communication tape of the solitary coincides withthe write-only communication tape of the first (resp. second) partner,and vice versa.
– The joint computation of the three parties, on a common input x, isa sequence of triplets. Each triplet consists of the local configurationsof the tree machines. The behavior of each partner-solitary pair isas in the definition of the joint computation of a pair of interactivemachines.
We denote by 〈P1, P2, S〉(x) the output of the solitary S after interactingwith the partners P1 and P2, on common input x.
85
• Two-Prover interactive proof system. A triplet of probabilistic ma-chines (P1, P2V ) in the two-partner model is called a proof system for alanguage L if V is polynomial-time and the following two conditions hold:
– Completeness: For every x ∈ L, Pr[〈P1, P2, V 〉(x) = 1] ≥ 23 .
– Soundness: For every x /∈ L and every pair of partners (B1, B2),Pr[〈B1, B2, V 〉(x) = 1] ≤ 1
3 .
• Zero-knowledge. A two-prover proof system (P1, P2, V ) for a language Lis perfect zero-knowledge if for every probabilistic polynomial-time inter-active machine V ∗ there exists a probabilistic polynomial-time algorithmM∗ such that for every x ∈ L the random variables 〈P1, P2, V
∗〉(x) andM∗(x) are identically distributed.
• Theorem. Every language in NP has a perfect zero-knowledge two-prover proof system. Furthermore, this proof system has the followingadditional properties:
– Communication is conducted in a single round. The verifier sendsa single message to each of the two provers, which in turn respondwith a single message.
– The soundness error is exponentially vanishing.
– The strategies of the two provers can be implemented by probabilisticpolynomial-time machines that get an NP -witness as auxiliary input.
• Construction of two-prover proof of graph coloring.
1. The first prover uses the prover’s random tape to determine a permu-tation of the coloring. To commit to each of the resulting colors, thefirst prover invokes the commit phase of a two-sender bit commit-ment, setting the security parameters to be the number of verticesin the graph.
2. The verifier uniformly selects an edge and sends it to the secondprover. In response, the second prover reveals the colors of the end-points of the required edge by sending the portions of the prover’srandom tape used in the corresponding instance of the commit phase.
• Simulator.
1. The simulator generates random “commitments to nothing”. Namelythe simulator invokes the verifier and answers the verifier’s messagesthat belong to the commit phase by a sequence of uniformly chosenstrings over {0, 1, 2}.
2. Upon receiving the query-edge (u, v) from the verifier, the simulatoruniformly selects two different colors φu and φv and opens the cor-responding commitments so as to reveal these values. The simulatorcan respond because it knows the messages sent by the verifier (in the
86
real interaction, the message is to the second prover). Specifically,given the receiver’s view of the commit phase (r1 · · · rn, c1, · · · cn),a 0-opening (resp. 1-opening) is computed by setting si = π−1
ri(ci)
(resp. si = π−1ri
(ci − 1)).
4.15 Ressetable Zero-knowledge
• General notion. a resettable zero-knowledge protocol is one that re-mains zero knowledge even if an adversary can interact with the provermany times, each time resetting the prover to its initial state and forcingit to use the same random tape.
• Construction. This construction is based on Richardson and Kilian’sconstruction of concurrent proof with some modifications.
– Common input. a security parameter k and x ∈ L such that L ∈ NP .
– Prover’s auxiliary input. an NP -witness w for x ∈ L.
– Prover’s randomness. A pair (r1, f2), where r1 ∈ {0, 1}poly(k) is oflength adequate for the first part of the random-type of P and f2 :{0, 1}≤poly(k) → {0, 1}poly(k) is a description of a function taken froman ensemble of pseudorandom functions.
– Stage 1.
1. Using a two-round perfectly-hiding commitment scheme,the verifier commits to k uniformly selected k-bit strings and aset of edges of a graph E which the verifier wants to challengethe prover (the graph is generated through a standard reductionfrom x ∈ L to a G3C: G = (V, E)).∗ The prover acting as a receiver, sends the first message. The
message is generated based on the first part of the prover’srandomness (i.e r1) and common input x.
∗ The verifier responds by uniformly selecting ζ1, . . . , ζk ∈ {0, 1}k
and a set of edges E = {(ui, vi) ∈ E}, and sending to theprover its commitment to each of the ζi, ui and vi’s. Denoteby β = β1, . . . , βk, γ = γ1, . . . , γt and ξ = ξ1, . . . , ξt the threesequences of commitments to ζi , uj and vj sent by the ver-ifier, where t = n3 such that n is the number of vertices inthe graph.
2. Prover set r2 = f2(x, r1, β, γ, ξ) as the residual content of itsrandom tape.
3. For i = 1, . . . , k, the following two-round interaction goes on.(a) The prover uses a perfect-binding commitment to com-
mit to a random k-bit string, denoted pi.(b) The verifier decommits to βi by providing ζi along with the
randomness used in forming βi from ζi.
87
– Stage 2. The prover provides a proof that either x ∈ L or ζi = pi,for some i. Because the prover has the witness w for x ∈ L, it cangenerate the witness ψ form w for the G3C instance reduced fromx ∈ L. Now the prover applies the residual proof of G3C.
1. The first step of prover (P 1). The prover randomly selects tpermutations π1, . . . , πt over {1, 2, 3} and sets φj(v) = πj(ψ(v))for each v ∈ V and 1 ≤ j ≤ t. The prover uses a perfectlybinding commitment scheme to commit itself to the colorsof each of the vertices according to each 3-coloring. Namely,the prover uniformly and independently selects s1,1, . . . , sn,t ∈{0, 1}n, computes ci,j = Csi,j (φj(i)) for each i ∈ V and 1 ≤ j ≤t, and sends c1,1, . . . , cn,t to the verifier.
2. The first step of the verifier (V 1). The verifier reveals its com-mitments to the edges in Stage 1, yielding the sequence E =((u1, v1), . . . , (ut, vt)).
3. The second step of the prover (P 2). The prover checks that themessage received from the verifier is indeed a valid revealing ofthe commitment to the edges made by the verifier in Stage 1.Otherwise the prover halts immediately. Denote the sequenceof the revealed t edges by (u1, v1), . . . , (ut, vt). The prover usesthe reveal phase of the perfectly binding commitment schemein order to reveal to the verifier, for each j, the jth coloring ofvertices uj and vj .
4. The second step of the verifier (V 2). The verifier checks whetheror not the revelations are valid.
– Remarks. (1) The above construction is a constant-round reset-table witness-indistinguishable proof system for NP. (2) If we onlyuse the commitments to commit one edge in Stage 1 and Stage 2,the proof is a resettable zero-knowledge proof system for NP. How-ever this construction is not constant-round. (3) In the public keymodel where verifiers have fixed, public keys associated with them,constant-round resettable zero-knowledge arguments for NP can beconstructed. (4) Allowing the prover to reset the verifier’s random-ness, resettably-sound zero-knowledge proofs and arguments are con-structible and can be used to construct resettable zero-knowledgearguments of knowledge for NP by relaxing the definition of argu-ments (and proofs) of knowledge. Note that under the standarddefinition of proof os knowledge, it is impossible to obtainresettable zero-knowledge arguments of knowledge for lan-guage outside BPP . Recall that to define the knowledge extractorof a proof of knowledge, the extractor extracts the knowledge byresetting the prover’s random tape.
88
4.16 ♣Knowledge Complexity
89
Bibliography
[1] B. Barak. How to go beyond the black-box barrier. 2001
[2] B. Barak, O. Goldreich, S. Goldwasser and Y. Lindell. Resettably-soundzero-knowledge and its applciations. 2001
[3] B.Barak and Y. Lindel. Strict polynomial-time simulator and extractor. theProc. of the 34th ACM Symp. on Theory of Computing (STOC), 2002.
[4] Mihir Bellare and Oded Goldreich. On Defining Proofs of Knowledge.Crypto92, LNCS 740, 1992
[5] Ran Canetti, Oded Goldreich and Shai Halevi. The Random OracleMethodology, Revisited, the Proc. of the 30th ACM Symp. on Theory ofComputing (STOC), 1998.
[6] Ran Canetti, Oded Goldreich, S. Goldwasser and S. Micali. Ressetable zero-knowlege. In 32nd ACM Symp. on Theory of Computing (STOC), 2000.
[7] L. Damgard. Efficient concurrent zero-knowledge in the auxiliary stringmodel. In Eurocrypt’00, 2000.
[8] G. Dwork, M. Naor and A. Shai. Concurrent Zero-Knowledge. the Proc. ofthe 30th ACM Symp. on Theory of Computing (STOC), 1998.
[9] U. Feige and A. Shamir. Zero-Knowledge Proofs of Knowledge in TwoRounds. 1989
[10] Shafi Goldwasser and Mihir Bellare. Lecture Notes on Cryptography, 2001
[11] Oded Goldreich. Zero-Knowledge twenty years after its invention. 2004
[12] R. Richardson and J. Kilian. On the concurrent composition of zero-knowledge proofs. In Eurocrypt99, 1999.
90
