Upload
stephanie-snider
View
58
Download
8
Tags:
Embed Size (px)
DESCRIPTION
How to Stop Cheaters In Zero-Knowledge Interactive Proofs. Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT). Proof: … ……….. …. . Proofs and Zero-Knowledge. Zero-Knowledge: yeild nothing beyond validity of assertion - PowerPoint PPT Presentation
Citation preview
How to Stop CheatersHow to Stop CheatersIn Zero-KnowledgeIn Zero-Knowledge
Interactive ProofsInteractive Proofs
Oded Goldreich (Weizmann)Amit Sahai (MIT)
Salil Vadhan (MIT)
Zero-Knowledge: yeild nothing beyond validity of assertion
Usual proof: - Convincing - Lots of Knowledge
New Notion of Proof:
Interactive Process: Prover tries to convince Verifier
Probabilistic Confidence
Proofs and Zero-Proofs and Zero-KnowledgeKnowledge
I understand!
I tell you, PNP!
How’s that?
Proof: …………..….
Interactive Proof Interactive Proof System[GMR]System[GMR]
for a language L
v1
p1
v2
pk
accept/reject
ProverVerifier
Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x belongs to language L.
• (Completeness): When xL, Verifier accepts with high prob.• (Soundness): When xL, no matter what strategy Prover uses, Verifier accepts with low prob.
Graph IsomorphismGraph Isomorphism
The Problem:
1
2
34
5
6
78
1
2
34
5
6
78
Are these graphs the same undera relabeling of vertices?
G0 G1
YES
6 2 8 1 4 5 3 7
1 2 3 4 5 6 7 8
Relabeling: G0 G1
Zero Knowledge Zero Knowledge Proof System [GMW]Proof System [GMW]
Verifier Prover
H
Pick G0 or G1
at random:b R {0,1} b
Check if maps H Gb.If so, accept. If not, reject.
Let H be graph obtained by random relabelingof G0
Let be therelabeling H Gb
Honest Verifier Simulator :- Pick G0 or G1 at random first: b R {0,1}.- Then let H be graph obtained by random relabeling of Gb -- and call the relabeling .Output (H, b, ).
General Verifiers...
SimulatorH: rdm relabeling Of Gb
b: random bit: relabeling H Gb
H
G0G1
Why it worksWhy it works
ProtocolH: rdm relabeling Of G0
b: random bit: relabeling H Gb
Zero-Knowledge (ZK)Zero-Knowledge (ZK)
Scope:
Honest Verifier
Any Verifier
v1
p1
v2
pk
accept/reject
When assertion is true, Verifier can produce transcripts of the interaction on her own.
Zero-Knowledge means Verifier learns nothing except truth of assertion.
Implementation Idea:
Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)
Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General
Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover. Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.
2
Area YXX Y
Statistical Difference metric between distributions
x
xYxXYX ]Pr[]Pr[2
1
statistically close means statistical difference is exponentially small in input size n =|x|.
Our ResultsOur Results
Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well.
Methodology:
Design an HVZK proof
Transform into General ZK proof
We show how to transform proofs ZK for theHonest Verifier into ones ZK for Any Verifier.
Why?Why?
Our Results (really)Our Results (really)
For Public-Coin Statistical Zero-Knowledge Proof Systems:
Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.
No computational assumptions needed for transformation.
ZK condition holds even for computationally unbounded Verifiers
For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.
Public Coin ProofsPublic Coin Proofs[Babai][Babai]
Arthur(Verifier)
Merlin(Prover)
Response
Response
Accept/Reject
Random Coins R)(}1,0{ n
Random Coins R)(}1,0{ n
Previous WorkPrevious Work
Assuming one-way functions exist, HV General. [BMO90, OVY93, Oka96]
Without such assumptions: but restricted to constant rounds, Public Coin HV General. [Dam94, DGW94]
TechniquesTechniques
Main Ingredients:
A new Random Selection Protocol.
A new Hashing Lemma about 2-universal hash functions.
Random SelectionRandom Selection
Two distrustful parties agree on a random string.
If any one party is dishonest, output should still have random properties.
r
r
Random Selection
r
r
Arthur Merlin
The TransformationThe Transformation
Random Selection
Arthur Merlin
The SimulatorThe Simulator
Use the Honest-Verifier Simulator togenerate transcript:
r
r
r
r
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS)ProtocolProtocol
When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)
When Arthur is Dishonest, need Simulatordistribution to be close to true distribution:
HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .
i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being .
Random Selection Random Selection [DGW][DGW]
Arthur MerlinCell Rpartition
When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of ’s.
Yields result only for constant round.
We fix this.
Arthur selects “random” partition of message space into cells of size poly(n).
RCell
Cell
)(}1,0{ n
Our SolutionOur Solution
Arthur Merlin
Use [DGW] protocol to select randomly among sets of 2n possible ’s.
Any 1/poly(n) fraction of such sets will cover the space of ’s almost uniformly.
[DGW] RS protocolSet S of 2n
’sR S
Hash FunctionsHash Functions
We use hash functions to describe setsof ’s.
.}1,0{ to}1,0{ from ,)(
functionslinear -affine of space thebe Let
.}1,0{ be messagesArthur of space Let the
)()(
)(
nnn
n
bAxxh
H
For almost all h’s, h-1(0) is of size 2n.
H is a 2-universal family of hash functions, so ’s will be “well spread” over sets h-1(0).
We will use h-1(0) to be our set of ’s.
New Random New Random SelectionSelection
Arthur MerlinCell Rpartition
Arthur selects “random” partition of H into cells of size poly(n).
h RCell
h
Rh-
1(0)
Cell
Simulation ofSimulation ofRandom Selection Random Selection
(RS)(RS) The random tape of Arthur is already fixed; Arthur is deterministic.
Simulator, on input :
Obtains Arthur’s partition p.
Chooses cell y randomly among cells containing some h such that h(
If Arthur picks h such that h(, output (p,y,h,Otherwise repeat. Why does this work?
Simulator, on input : Obtains Arthur’s partition p. Chooses cell y randomly among cells containing some h such that h(. If Arthur picks h such that h(, output (p,y,h,Otherwise repeat.
RS Protocol & SimulatorRS Protocol & Simulator
Arthur MerlinCell Rpartition
h RCell
h
Rh-
1(0)
Cell
New Hashing LemmaNew Hashing Lemma
s,' offraction 2 abut allfor Then, (n)-
. )(
npoly
H
Moreover, the statistical difference betweenthe following two distributions is at most 2-n:
).,(Output
Let .}1,0{ Choose II)(
).,(Output
).0(Let . Choose (I)
)(
1
h
h
h
hh
Rn
R
RR
(Hence the simulation is polynomial time)
(Hence the simulation is statistically close.)
Let H be any set of size Blue
hBlue h
h hhBlue h
Blue
Blue
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS)ProtocolProtocol
When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)
When Arthur is Dishonest, need Simulatordistribution to be close to true distribution:
HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .
i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts that output .
ConclusionsConclusions
We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.
HVSZK = SZK
We give a new Hashing Lemma which may be of independent interest.
Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)
Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General
Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover.
Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.
Hello there, my friend.
Hello there, my friend.
This is the beginning of the end, he said.There is no hope. What’s the use in going on? We’re all dead anyway… The door opened.
Hello there, my friend.
Test
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS)ProtocolProtocol
When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)
When Arthur is Dishonest, need Simulatordistribution to be close to true distribution:
HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .
i.e. Conditioned on a fixed , need Simulator distribution to be statistically close to distribution of actual RS transcripts that output .
Zero-Knowledge means Verifier learns nothing except truth of assertion.Formally, can simulate interaction.
Zero-Knowledge (ZK)Zero-Knowledge (ZK)
We give a transformation:
Proof ZK for Honest Verifier
Proof ZK for General Verifiers
Computational
Statistical General
HonestQuality Scope
Zero-Knowledge means Verifier learns nothing except truth of assertion.
Two classes of Verifiers:
Honest - follows the protocol
General- employs any strategy
Zero-KnowledgeZero-Knowledge
We give a transformation:
Proof ZK for Honest Verifier
Proof ZK for General Verifiers
Definitions
Black-Box Simulator:
Random TapeSimulator Verifier
v1
p1
pk
vk+1
vk
Simulator Verifier
Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.
Zero-Knowledge Proof Zero-Knowledge Proof [GMR85][GMR85]
v1
p1
v2
pk
accept/reject
When assertion is true, Verifier can simulate her view of the interaction on her own.
Formally, a proof system is Statistical ZK if for every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover.Computational ZK : require simulator distribution to be computationallyindistinguishable rather than statistically close .
Our ResultsOur Results
For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:
Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.
For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK.
No computational assumptions
ZK condition holds even for computationally unbounded Verifiers
Previous WorkPrevious Work
For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88]
For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96]
For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
OK for Soundness by parallel repetitionof Original Proof System.
Dishonest Arthur: Outcome almost uniform. For every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
Random Selection Random Selection [DGW][DGW]
Arthur MerlinCell Rpartition
Dishonest Merlin can cause at most 1/poly(n) statistical deviation.
For Dishonest Arthur: can simulate for only a 1/poly(n) fraction of ’s.
Yields result only for constant round.
We fix this.
Arthur selects “random” partition of message space into cells of size poly(n).
RCell
Cell
Properties ofProperties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
Still OK for Soundness.
Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
)(1npoly
Public Coin ProofsPublic Coin Proofs[Babai][Babai]
Arthur Merlin
Random Coins
Response
Random Coins
Response
Accept/Reject
Properties ofProperties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
Still OK for Soundness.
Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
)(1npoly
New Hashing LemmaNew Hashing Lemma
s,' offraction 2 abut allfor Then, (n)-
}.0)(|{Let hhH
. )(
npoly
H
)(1
npolyH
H
Moreover, the statistical difference betweenthe following two distributions is at most 2-n:
).,(Output . Let .}1,0{ Choose II)(
).,(Output ).0(Let . Choose (I)
)(
1
hHh
hhh
Rn
R
RR
(Hence the simulation is polynomial time)
(Hence the simulation is statistically close.)
Let H be any set of size
Blue
Blue
Blue
Blue
ConclusionsConclusions
We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.
HVSZK = SZK
Public-Coin HVCZK= Public-Coin CZK
We give a new Hashing Lemma which may be of independent interest.
Honest-Verifier Honest-Verifier Statistical Zero-Statistical Zero-
Knowledge Knowledge EqualsEquals
General Statistical General Statistical
Zero-KnowledgeZero-Knowledge
Oded Goldreich (Weizmann)Amit Sahai (MIT)
Salil Vadhan (MIT)