Zero Knowledge Anupam Datta CMU Fall 2017

Slides:



Advertisements
Similar presentations
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Advertisements

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Wonders of the Digital Envelope
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Complexity and Cryptography
Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Some Fundamental Insights of Computational Complexity Theory Avi Wigderson IAS, Princeton, NJ Hebrew University, Jerusalem.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Probabilistic verification Mario Szegedy, Rutgers www/cs.rutgers.edu/~szegedy/07540 Lecture 1.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.
The NP class. NP-completeness
P & NP.
Topic 36: Zero-Knowledge Proofs
Probabilistic Algorithms
Introduction to Randomized Algorithms and the Probabilistic Method
Randomness and Computation
On the Size of Pairing-based Non-interactive Arguments
Multi-Party Proofs and Computation
Course Business I am traveling April 25-May 3rd
NP-Completeness Yin Tat Lee
Cryptographic protocols 2016, Lecture 12 Sigma protocols
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Zero-Knowledge Proofs
NP-completeness The Chinese University of Hong Kong Fall 2008
Fiat-Shamir for Highly Sound Protocols is Instantiable
NP-Completeness Yin Tat Lee
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs and Secure Multi-Party Computation
09 Zero Knowledge Proof Hi All, One more topic to go!
Impossibility of SNARGs
Zero-Knowledge Proofs
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Zero Knowledge Anupam Datta CMU Fall 2017 18734: Foundations of Privacy Zero Knowledge Anupam Datta CMU Fall 2017

What happens when you type in your password? Authentication What happens when you type in your password?

Naïve authentication acme.com The server knows your password login: me password: opensesame acme.com OK you server The server knows your password So they can impersonate you at other web sites where you use the same password

“Zero-knowledge” authentication I know the password acme.com Can you prove it? Can you convince the server that you know your password, without revealing it (or any other information)?

What is knowledge? What is ignorance? (lack of knowledge) Example 1: Tomorrow’s lottery numbers We are ignorant of them because they are random 2 31 12 7 28 11

What is ignorance? Example 2: A difficult math problem We are ignorant because it takes a lot of work to figure out the answer Questions of this type include Finding satisfying assignments to Boolean formulas Finding cliques in graphs All NP-hard problems Prove that P ≠ NP

Using ignorance to our advantage I know the password acme.com Can you prove it? We want to convince the server that we know the password, while keeping it ignorant of the password itself The server is convinced, but gains zero-knowledge!

An Interactive Protocol

A protocol for “non-color-blindness” You (the prover) want to convince me (the verifier) that you are not color-blind I pull at random either a red ball or a blue ball and show it to you You say “red” or “blue” We repeat this 10 times If you got all the answers right, I am convinced you know red from blue

Properties Soundness Completeness If Verifier accepts then the property (Prover is not color blind) holds with high probability Completeness If property (Prover is not color blind) holds then the Verifier always accepts

Interaction and knowledge What knowledge did I gain from this interaction? I learned that you can tell blue from red But I also learned the colors of the balls in each glass Suppose I was color-blind Then I used you to gain some knowledge!

An Interactive Protocol that is Zero Knowledge

A different protocol I pull at random either two balls from same box or one ball from box 1 and one from box 2 You say “same color” or “different color” box 1 We repeat 10 times If you got all the answers right, I am convinced you know red from blue box 2 But I did not gain any other knowledge!

Zero-knowledge Suppose I am color-blind but you are not In the first protocol, I cannot predict your answer ahead of time In the second protocol, I know what you will say, so I do not gain knowledge when you say it

Probability distributions on transcripts are indistinguishable Zero-knowledge The verifier’s view of the interaction with the prover can be efficiently simulated without interacting with the prover S(V) P V  Verifier is polynomial time Prover has unbounded computation power Property holds for all verifiers (not just the honest verifer) Probability distributions on transcripts are indistinguishable

ZK Proof Outline for Non-Color Blindness Verifier V*’s view in interaction with Prover P wp p: draw two balls from same box; Prover says “same color” wp (1-p): draw one ball from box 1 and one ball from box 2; Prover says “different color” Simulator S uses V* as a black-box; does not interact with P When V* says “draw two balls from same box” it does so and says “same color” to simulate P (wp p) When V* says “draw one ball from box 1 and one ball from box 2” it does so and says “different color” to simulate P (wp 1-p) (P, V*) interaction transcript  S(V*) transcript

Comments Verifier is polynomial time Prover has unbounded computation power ZK property has to hold for all verifiers V* (not just the honest verifer V)

Zero-knowledge password authentication acme.com Oded Goldreich Silvio Micali Avi Wigderson

Graph coloring Theorem 3COL is NP-complete Task: Assign one of 3 colors to the vertices so that no edge has both endpoints of same color 3COL = {G: G has a valid 3-coloring} Theorem 3COL is NP-complete

Password authentication via 3-coloring Step 0: When you register for the web service, choose your password to be a valid 3-coloring of some (suitable) graph acme.com registration G 1 6 password: 2 5 3 4

Password authentication via 3-coloring When the server asks for your password do not send the password, but send the graph G instead (without the colors) password? acme.com G G 1 6 password: 2 5 3 4

Intuition about registration phase Because 3-coloring is hard, the server will not be able to figure out your password (coloring) from G Later, when you try to log in, you will convince the server that you know how to color G, without revealing the coloring itself The server will be convinced you know your password but remain ignorant about what it is

The login phase You randomly permute the colors password: You lock each of the colors in a box and send the boxes to the server The server chooses an edge at random and asks for the keys to the boxes at the endpoints You send the requested keys The server unlocks the two boxes and checks the colors are different 1 6 2 5 Repeat this 1000 times. Login succeeds if colors always different 3 4

Analysis in the login phase Completeness If you know the coloring then you will always successfully convince the server

Analysis in the login phase  

Analysis in the login phase Zero Knowledge If you are honest, the server remains ignorant about your password because all he sees are two random different colors

ZK Proof Outline for 3-COL Simulator S Internally select random edge (i, j) and random permutation PV*: Generate coloring s.t. color(i) not equal color(j); send permuted colors in locked boxes V* P: Open colors for edge (i,j) PV*: Reveal color(i) and color(j) (note by step 1 they are not equal) Note: If V* is not honest, use V* as a blackbox to output edge e in step 2; rewind if e not equal to (i,j) (P, V*) interaction transcript  S(V*) transcript

Acknowledgment Slides are from Andrej Bogdanov except slides 10, 15, 16, 24

Seminal Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one way functions exist ZK for all of IP [BGGHKMR’88] Everything that can be proven can be proven in ZK assuming one way functions exist