Embed Size (px)
Citation preview
Lecture 23: Zero-Knowledge Proofs
Rafael Oliveira
University of WaterlooCheriton School of Computer Science
July 29, 2021
1 / 83
Overview
Why Zero Knowledge?
Zero-Knowledge Proofs
Conclusion
Acknowledgements
2 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files
She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
3 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files
She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
4 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files
She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
5 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to Bob
Bob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
6 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)
Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
7 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption key
But then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
8 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!
Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
9 / 83
Cyptography
In cryptography, want to communicate with other people/entitieswhom we may not trust.
Or we may not trust the channel of communication
someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there
Situation
Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?
10 / 83
Zero-Knowledge Proofs
Proofs in which the verifier gains no knowledge beyond the validity of theassertion.
11 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is Eulerian
Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
12 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is Eulerian
Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
13 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is Eulerian
Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
14 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is Eulerian
Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
15 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)
Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
16 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycle
Bob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
17 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
18 / 83
Knowledge vs Information
What do you mean by knowledge?
What does it mean to “learn something/gain knowledge”?
What is difference between knowledge and information?
First question is quite complex, so let’s only talk about the secondand third
Knowledge has to do with your computational ability
If you could have found the answer (i.e. computed it) without help,then you gained no knowledge
Example:
Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)
In both cases Alice conveyed information!
19 / 83
Knowledge vs Information
Knowledge:
related to computational difficultyabout publicly known objects
One gains knowledge when one obtains something one could notcompute before!
Information:
unrelated to computational difficultyabout partially known objects
One gains information when one obtains something one could notaccess before!
20 / 83
Knowledge vs Information
Knowledge:
related to computational difficultyabout publicly known objects
One gains knowledge when one obtains something one could notcompute before!
Information:
unrelated to computational difficultyabout partially known objects
One gains information when one obtains something one could notaccess before!
21 / 83
Classical Proofs
Our usual notion of proof:
A claim C is given
A prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
22 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correct
Prover P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
23 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier V
Verifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
24 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof
Verifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
25 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
26 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
27 / 83
Classical Proofs
Our usual notion of proof:
A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules
One-way communication (or, in other words, very little interaction!)
Verifier does not trust prover. Otherwise no need to verify proof!
28 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is given
A prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
29 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ L
Prover P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
30 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier V
Verifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
31 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)
Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
32 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
33 / 83
Example: NP (Efficient Verifiable Proofs)
Setup:
A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1
In this setting, verifier learns the proof!
34 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is given
A prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
35 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · q
Prover P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
36 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier V
Verifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
37 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)
Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
38 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
39 / 83
Example: Factoring
Setup:
A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq
In this setting, verifier learns the proof (in this case factorization)!
40 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphic
A prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
41 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
42 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier V
Verifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
43 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)
Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
44 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
45 / 83
Example: Graph Isomorphism
Setup:
A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1
Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.
In this setting, verifier learns the isomorphism (i.e., the proof)!
46 / 83
Can we convince people differently?
Yes! But we need to modify the way proofs are checked.
Make proofs interactive, instead of only one-wayVerifier is allowed private randomness
In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:
Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.
47 / 83
Can we convince people differently?
Yes! But we need to modify the way proofs are checked.
Make proofs interactive, instead of only one-way
Verifier is allowed private randomness
In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:
Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.
48 / 83
Can we convince people differently?
Yes! But we need to modify the way proofs are checked.
Make proofs interactive, instead of only one-wayVerifier is allowed private randomness
In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:
Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.
49 / 83
Can we convince people differently?
Yes! But we need to modify the way proofs are checked.
Make proofs interactive, instead of only one-wayVerifier is allowed private randomness
In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:
Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.
50 / 83
Why Zero Knowledge?
Zero-Knowledge Proofs
Conclusion
Acknowledgements
51 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphic
A prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
52 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
53 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
54 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!
Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
55 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}
Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
56 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρb
Verifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
57 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
58 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
59 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2
Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
60 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
61 / 83
Example: Graph IsomorphismSetup:
A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:
It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H
Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb
Note that verifier will not learn isomorphism between G0 and G1!
Note that:
Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2Can amplify probability of catching bad proof by repeating protocolabove!
How can we model the fact that verifier does not gain knowledge?!
Simulation!
62 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
63 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
64 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
65 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
66 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
67 / 83
Simulation of Protocol
Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).
Verifier then picks bit b from previous step
Verifier gives isomorphism ρ−1
Verifier checks that ρ−1(H) = Gb
Simulation ⇒ V gained no new information!
68 / 83
Perfect Zero Knowledge Proof
Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)
Definition (Perfect Zero Knowledge)
A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:
〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x
M∗(x), that is, output of algorithm M∗ (simulation) on input x
The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗
69 / 83
Perfect Zero Knowledge Proof
Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)
Definition (Perfect Zero Knowledge)
A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:
〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x
M∗(x), that is, output of algorithm M∗ (simulation) on input x
The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗
70 / 83
Perfect Zero Knowledge Proof
Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)
Definition (Perfect Zero Knowledge)
A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:
〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x
M∗(x), that is, output of algorithm M∗ (simulation) on input x
The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗
71 / 83
Perfect Zero Knowledge Proof2
Previous definition is a bit too strict to be useful, so we relax it.1
We will allow simulator to fail with small probability (denoted byoutputting ⊥)
Definition (Perfect Zero Knowledge)
A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following holds:
1 With probability ≤ 1/2, M∗(x) = ⊥2 Conditioned on M∗(x) 6= ⊥, the following variables are identially
distributed:
〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input xM∗(x), that is, output of algorithm M∗ (simulation) on input x
1Very common phenomenon in crypto, that statistical indistinguishability too strict.2For applications in cryptography, one can even relax this definition further, to
include computational zero-knowledge72 / 83
Perfect Zero Knowledge Proof2
Previous definition is a bit too strict to be useful, so we relax it.1
We will allow simulator to fail with small probability (denoted byoutputting ⊥)
Definition (Perfect Zero Knowledge)
A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following holds:
1 With probability ≤ 1/2, M∗(x) = ⊥2 Conditioned on M∗(x) 6= ⊥, the following variables are identially
distributed:
〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input xM∗(x), that is, output of algorithm M∗ (simulation) on input x
1Very common phenomenon in crypto, that statistical indistinguishability too strict.2For applications in cryptography, one can even relax this definition further, to
include computational zero-knowledge73 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
74 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
75 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
76 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥
Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
77 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
78 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
79 / 83
Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!
Simulated protocol:
The simulator produces a random permutation ρ and outputsH = ρ(G0).
Simulator then picks random bit b
If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1
Simulator checks that ρ−1(H) = G0
Simulation ⇒ perfect zero knowledge for our prover P!
Note that whenever we don’t fail, we output same distribution as theoriginal protocol!
80 / 83
Conclusion
We saw today how the power of interaction can be used to verifyvalidity of “proofs” without conveying information about it
Has applications in
Modern cryptographyCredit CardsPasswordsComplexity Theory (can use zero-knowledge to construct complexityclasses)Used in cryptocurrencies (validate transactions without giving detailsabout transactions)
81 / 83
Conclusion
We saw today how the power of interaction can be used to verifyvalidity of “proofs” without conveying information about it
Has applications in
Modern cryptographyCredit CardsPasswordsComplexity Theory (can use zero-knowledge to construct complexityclasses)Used in cryptocurrencies (validate transactions without giving detailsabout transactions)
82 / 83
Acknowledgement
Lecture based largely on:
Oded Goldreich’s Foundations of Cryptography book, Chapter 6Berkeley & MIT’s 6.875 Lecture 14
https://inst.eecs.berkeley.edu/~cs276/fa20/slides/lec14.pdf
83 / 83
![Lattice-Based Zero-Knowledge Proofs: New Techniques for … · 2019-07-15 · Zero-Knowledge Proofs [GMR85].. Prover(x,w) Verifier(x) Accept/Reject Properties: 1)Completeness 2)Soundness](https://img.pdfslide.net/doc/110x75/5f773e4798801e2029328a37/lattice-based-zero-knowledge-proofs-new-techniques-for-2019-07-15-zero-knowledge.jpg)
