How to Stop Cheaters In Zero-Knowledge Interactive Proofs

How to Stop CheatersHow to Stop CheatersIn Zero-KnowledgeIn Zero-Knowledge

Interactive ProofsInteractive Proofs

Oded Goldreich (Weizmann)Amit Sahai (MIT)

Salil Vadhan (MIT)

Zero-Knowledge: yeild nothing beyond validity of assertion

Usual proof: - Convincing - Lots of Knowledge

New Notion of Proof:

Interactive Process: Prover tries to convince Verifier

Probabilistic Confidence

Proofs and Zero-Proofs and Zero-KnowledgeKnowledge

I understand!

I tell you, PNP!

How’s that?

Proof: …………..….

Interactive Proof Interactive Proof System[GMR]System[GMR]

for a language L

v1

p1

v2

pk

accept/reject

ProverVerifier

Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x belongs to language L.

• (Completeness): When xL, Verifier accepts with high prob.• (Soundness): When xL, no matter what strategy Prover uses, Verifier accepts with low prob.

Graph IsomorphismGraph Isomorphism

The Problem:

1

2

34

5

6

78

1

2

34

5

6

78

Are these graphs the same undera relabeling of vertices?

G0 G1

YES

6 2 8 1 4 5 3 7

1 2 3 4 5 6 7 8

Relabeling: G0 G1

Zero Knowledge Zero Knowledge Proof System [GMW]Proof System [GMW]

Verifier Prover

H

Pick G0 or G1

at random:b R {0,1} b

Check if maps H Gb.If so, accept. If not, reject.

Let H be graph obtained by random relabelingof G0

Let be therelabeling H Gb

Honest Verifier Simulator :- Pick G0 or G1 at random first: b R {0,1}.- Then let H be graph obtained by random relabeling of Gb -- and call the relabeling .Output (H, b, ).

General Verifiers...

SimulatorH: rdm relabeling Of Gb

b: random bit: relabeling H Gb

H

G0G1

Why it worksWhy it works

ProtocolH: rdm relabeling Of G0

b: random bit: relabeling H Gb

Zero-Knowledge (ZK)Zero-Knowledge (ZK)

Scope:

Honest Verifier

Any Verifier

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can produce transcripts of the interaction on her own.

Zero-Knowledge means Verifier learns nothing except truth of assertion.

Implementation Idea:

Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)

Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General

Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover. Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

2

Area YXX Y

Statistical Difference metric between distributions

x

xYxXYX ]Pr[]Pr[2

1

statistically close means statistical difference is exponentially small in input size n =|x|.

Our ResultsOur Results

Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well.

Methodology:

Design an HVZK proof

Transform into General ZK proof

We show how to transform proofs ZK for theHonest Verifier into ones ZK for Any Verifier.

Why?Why?

Our Results (really)Our Results (really)

For Public-Coin Statistical Zero-Knowledge Proof Systems:

Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.

No computational assumptions needed for transformation.

ZK condition holds even for computationally unbounded Verifiers

For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.

Public Coin ProofsPublic Coin Proofs[Babai][Babai]

Arthur(Verifier)

Merlin(Prover)

Response

Response

Accept/Reject

Random Coins R)(}1,0{ n

Random Coins R)(}1,0{ n

Previous WorkPrevious Work

Assuming one-way functions exist, HV General. [BMO90, OVY93, Oka96]

Without such assumptions: but restricted to constant rounds, Public Coin HV General. [Dam94, DGW94]

TechniquesTechniques

Main Ingredients:

A new Random Selection Protocol.

A new Hashing Lemma about 2-universal hash functions.

Random SelectionRandom Selection

Two distrustful parties agree on a random string.

If any one party is dishonest, output should still have random properties.

r

r

Random Selection

r

r

Arthur Merlin

The TransformationThe Transformation

Random Selection

Arthur Merlin

The SimulatorThe Simulator

Use the Honest-Verifier Simulator togenerate transcript:

r

r

r

r

Desired Properties ofDesired Properties ofRandom Selection Random Selection

(RS)(RS)ProtocolProtocol

When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)

When Arthur is Dishonest, need Simulatordistribution to be close to true distribution:

HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .

i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being .

Random Selection Random Selection [DGW][DGW]

Arthur MerlinCell Rpartition

When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of ’s.

Yields result only for constant round.

We fix this.

Arthur selects “random” partition of message space into cells of size poly(n).

RCell

Cell

)(}1,0{ n

Our SolutionOur Solution

Arthur Merlin

Use [DGW] protocol to select randomly among sets of 2n possible ’s.

Any 1/poly(n) fraction of such sets will cover the space of ’s almost uniformly.

[DGW] RS protocolSet S of 2n

’sR S

Hash FunctionsHash Functions

We use hash functions to describe setsof ’s.

.}1,0{ to}1,0{ from ,)(

functionslinear -affine of space thebe Let

.}1,0{ be messagesArthur of space Let the

)()(

)(

nnn

n

bAxxh

H

For almost all h’s, h-1(0) is of size 2n.

H is a 2-universal family of hash functions, so ’s will be “well spread” over sets h-1(0).

We will use h-1(0) to be our set of ’s.

New Random New Random SelectionSelection


Arthur selects “random” partition of H into cells of size poly(n).

h RCell

h

Rh-

1(0)

Cell

Simulation ofSimulation ofRandom Selection Random Selection

(RS)(RS) The random tape of Arthur is already fixed; Arthur is deterministic.

Simulator, on input :

Obtains Arthur’s partition p.

Chooses cell y randomly among cells containing some h such that h(

If Arthur picks h such that h(, output (p,y,h,Otherwise repeat. Why does this work?

Simulator, on input : Obtains Arthur’s partition p. Chooses cell y randomly among cells containing some h such that h(. If Arthur picks h such that h(, output (p,y,h,Otherwise repeat.

RS Protocol & SimulatorRS Protocol & Simulator


h RCell

h

Rh-

1(0)

Cell

New Hashing LemmaNew Hashing Lemma

s,' offraction 2 abut allfor Then, (n)-

. )(

npoly

H

Moreover, the statistical difference betweenthe following two distributions is at most 2-n:

).,(Output

Let .}1,0{ Choose II)(

).,(Output

).0(Let . Choose (I)

)(

1

h

h

h

hh

Rn

R

RR

(Hence the simulation is polynomial time)

(Hence the simulation is statistically close.)

Let H be any set of size Blue

hBlue h

h hhBlue h

Blue

Blue






i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts that output .

ConclusionsConclusions

We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.

HVSZK = SZK

We give a new Hashing Lemma which may be of independent interest.

Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)

Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General

Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover.

Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

Hello there, my friend.


This is the beginning of the end, he said.There is no hope. What’s the use in going on? We’re all dead anyway… The door opened.


Test






i.e. Conditioned on a fixed , need Simulator distribution to be statistically close to distribution of actual RS transcripts that output .

Zero-Knowledge means Verifier learns nothing except truth of assertion.Formally, can simulate interaction.

Zero-Knowledge (ZK)Zero-Knowledge (ZK)

We give a transformation:

Proof ZK for Honest Verifier

Proof ZK for General Verifiers

Computational

Statistical General

HonestQuality Scope

Zero-Knowledge means Verifier learns nothing except truth of assertion.

Two classes of Verifiers:

Honest - follows the protocol

General- employs any strategy

Zero-KnowledgeZero-Knowledge

We give a transformation:

Proof ZK for Honest Verifier

Proof ZK for General Verifiers

Definitions

Black-Box Simulator:

Random TapeSimulator Verifier

v1

p1

pk

vk+1

vk

Simulator Verifier

Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.

Zero-Knowledge Proof Zero-Knowledge Proof [GMR85][GMR85]

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can simulate her view of the interaction on her own.

Formally, a proof system is Statistical ZK if for every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover.Computational ZK : require simulator distribution to be computationallyindistinguishable rather than statistically close .

Our ResultsOur Results

For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:

Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.

For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK.

No computational assumptions

ZK condition holds even for computationally unbounded Verifiers

Previous WorkPrevious Work

For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88]

For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96]

For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]


(RS)(RS) Dishonest Merlin:

)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS

n

OK for Soundness by parallel repetitionof Original Proof System.

Dishonest Arthur: Outcome almost uniform. For every , can simulate RS to produce .

i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .

Random Selection Random Selection [DGW][DGW]


Dishonest Merlin can cause at most 1/poly(n) statistical deviation.

For Dishonest Arthur: can simulate for only a 1/poly(n) fraction of ’s.

Yields result only for constant round.

We fix this.

Arthur selects “random” partition of message space into cells of size poly(n).

RCell

Cell

Properties ofProperties ofRandom Selection Random Selection



n

Still OK for Soundness.

Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .


)(1npoly

Public Coin ProofsPublic Coin Proofs[Babai][Babai]

Arthur Merlin

Random Coins

Response

Random Coins

Response

Accept/Reject

Properties ofProperties ofRandom Selection Random Selection



n

Still OK for Soundness.

Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .


)(1npoly

New Hashing LemmaNew Hashing Lemma

s,' offraction 2 abut allfor Then, (n)-

}.0)(|{Let hhH

. )(

npoly

H

)(1

npolyH

H

Moreover, the statistical difference betweenthe following two distributions is at most 2-n:

).,(Output . Let .}1,0{ Choose II)(

).,(Output ).0(Let . Choose (I)

)(

1

hHh

hhh

Rn

R

RR

(Hence the simulation is polynomial time)

(Hence the simulation is statistically close.)

Let H be any set of size

Blue

Blue

Blue

Blue

ConclusionsConclusions

We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.

HVSZK = SZK

Public-Coin HVCZK= Public-Coin CZK

We give a new Hashing Lemma which may be of independent interest.

Honest-Verifier Honest-Verifier Statistical Zero-Statistical Zero-

Knowledge Knowledge EqualsEquals

General Statistical General Statistical

Zero-KnowledgeZero-Knowledge

Oded Goldreich (Weizmann)Amit Sahai (MIT)

Salil Vadhan (MIT)

Documents

How to Stop Cheaters In Zero-Knowledge Interactive Proofs