Zero Knowledge Proofs. 20 Years after its Invention Author Oded Goldreich Dept. of CS & Applied Mathematics, Weizmann Institute of Science, Israel. Presented by Mr. Sameer Seth samseth@gwu.edu

Abstract Zero Knowledge Proofs are proofs that are both convincing and yet yield nothing beyond the validity of the assertion being proved. We will survey the main developments regarding Zero - Knowledge , starting from the basic definitions and reaching the most recent and sophisticated results in this area.

Contents Introduction The Basics Preliminaries Definitional Issues Interactive Proofs & Argument systems Computational Difficulty and One – Way functions Definitional Issues The Basic Definition Variants Universal & Black Box Simulators Honest Verifier vs. General Cheating Verifier Statistical Vs. Computational ZK Strict Vs. expected probabilistic Polynomial – time

Contents Introduction Advanced Topics Composing ZK Protocols Sequential Composition Parallel Composition Concurrent Composition ( With & Without timing ) ZK Proofs in other models

Introduction They are fascinating because of their seemingly contradictory definition and extremely useful constructs. They are typically used to force malicious parties to behave according to a predetermined protocol. Typical applications of ZK Proofs are Preservation of security under various forms of protocol composition Use of Adversary program within proof of security.

Basics (Definition) The ZKP is formulated by saying that anything that is feasibly computable from a ZKP is also feasibly computable from the assertion itself. Variants on the basic def. are Consideration of Auxiliary inputs. Mandating of universal and black – box simulations Restricting attention to honest verifiers The level of Similarity required for simulation. Zero Knowledge proofs exist for any NP-set, provided, One way functions exist for that set.

Example of ZK Proof system

Preliminaries Modern Cryptography is concerned with the construction of efficient schemes for which it is in feasible to violate the security feature. The computations of the legitimate users of the scheme ought to be efficient whereas violating the security feature ought to be infeasible. Efficient computations are commonly modeled by computations that are polynomial – time in security parameter. The polynomial bounding the running – time of the legitimate user’s strategy is fixed and typically explicit. Randomized computations play a central role in the definition of ZK. We allow the legitimate users to employ randomized computations. This brings up issue of success probability: typically we require legitimate users to succeed with probability 1 ( or very close to 1 ) and adversaries to succeed with negligible probability. A Rare event should occur rarely even if we repeat the experiment for a feasible number of times.

Preliminaries We consider negligible as any function, A : N  [0,1] That vanishes faster than the reciprocal of any polynomial.

Interactive Proofs and Argument System The standard notion of static proofs will not do, because static ZKP exist only for sets that are easy to decide. Whereas we are interested for arbitrary NP-sets. We will use the notion of an Interactive Proof. Here the proof is a (multi round ) randomized protocol for two parties verifier and prover, in which prover wishes to convince verifier of the validity of given assertion. Both Completeness and soundness conditions should hold with high probability. The verifier has to be probabilistic polynomial time. If the assertion is false, the verifier must reject with “Noticeable” probability, no matter what strategy is being applied by prover.

Interactive Proofs Definition An IP system for a set S is a two party game, between a verifier executing a probabilistic polynomial time strategy and a prover which executes a computationally unbounded strategy , satisfying Completeness : For every x belongs S the verifier V always accepts after interacting with the prover P on common input x. Soundness : For some polynomial p, it holds that for every x not belonging to S and every potential strategy P*, the verifier V rejects with probability at least 1/p(|x|), after interacting with P* on common input x. Computational Soundness error can be reduced by sequential repetitions, but it cannot be always reduced by parallel repititions.

Computational Difficulty and One Way Function Most positive result regarding ZK Proofs are based on intractability assumptions. Defn. of One Way functions. A function f : { 0,1 }*  { 0,1 }* is called one way if the following two conditions hold. 1. Easy to evaluate : There exists a polynomial time algorithm A such that A(x) = f(x) for every x belongs { 0,1 }*. 2. Hard to invert : For every family of polynomial – size circuits { Cn }, every polynomial p, and all sufficiently large n Pr [ Cn (f(x)) (- f -1(f(x))] < 1/p(n) where probability is taken uniform over all possible choices

Basic Definition An interactive strategy A is ZK on the set S if, for every feasible strategy B*, there exists a feasible computation C* s.t. the following probability ensembles are computationally indistinguishable. 1. {( A,B* )(x)} = output of B* after interacting with A on common input x and 2. { C*(x)} = the output of C* on input x.

Variants Universal and black box simulation Further strengthening of definition is obtained by requiring the existence of a universal simulator, denoted C that is given the program f the verifier as an auxiliary input that is in terms with definition, one should replace C*(x,z) by C(x,z, (B*)), where ( B*) denotes the description of program B*. Therefore we effectively restrict the simulation by requiring that it be a uniform function of the verifier program.

Variants Honest Verifier Vs. General cheating verifier. We typically view verifier as an adversary that is trying to cheat. A weaker and still interesting notion of ZK refers to what can be gained by an honest verifier that interacts with the prover as directed with the exception that it may maintain a record of entire interaction. Although such a weaker notion is not satisfactory for a standard cryptographic applications, coz it yields a fascinating notion from a conceptual as well as complexity – theoretic point of view.

Variants Statistical Vs. Computational Zero Knowledge Perfect Zero Knowledge – PZK – It requires that the two probability ensembles to be identical. Statistical Zero Knowledge – SZK – It requires that these probability ensembles be statistically close ( Variation distance betn them be negligible Computational Zero Knowledge CZK – It requires that these probability ensembles be computationally indistinguishable. CZK is most liberal notion, and is the notion considered in definition.

Variants Strict Versus Probabilistic Polynomial time. Strict PPT : There exists a bound on number of steps in each possible run of the machine regardless outcome of its coin tosses. Expected PPT : The standard approach is to look at the running time as a random variable and bound its expectation and an alternative treatment of this random variable is preferable.

Advanced Topics The first question of ZK proofs refers to preservation of its security under various types of composition operations. The main facts for ZK protocols are ZK is closed under sequential composition ZK is not closed under parallel composition, yet some ZK preserve their security when many copies are executed in parallel. Some ZK proofs preserve their security when many copies are executed concurrently, but such a result is not known for constant round protocols. For all 15 yrs. All known proofs of security used the adversary’s program as black box and it was believed there is no use in having access to the code of adversary’s program. This property was refuted by a ZK argument that has important properties that are unachievable by black box simulation. When we talk of composition of protocols, we mean that honest users are supposed to follow the prescribed program. That is the actions of honest users in one execution are independent of messages they received in previous executions.

Sequential Composition In this case, the protocol is invoked ( polynomially ) many times, where each invocation follows the termination of the previous one. At the very least, security should be preserved under sequential composition, or else the applicability of protocol is highly limited. Every protocol that is ZK ( Under definition ) is sequential Zero Knowledge.

Parallel Composition In this case many instances of the protocol are invoked at the same time and proceed at the same pace. Here we assume a synchronous model and consider many executions that are totally synchronized so that the i th message in all instances is send exactly at the same time. In the early days we interpreted parallel composition was mainly in the context of round efficient error reduction. Since then alternative ways of constructing constant round ZK proofs were found. Interest in Parallel composition has died. In retrospect parallel composition helped to capture preservation of security. Under standard intractability assumptions, every NP set has a constant round parallel ZK proofs

Concurrent Composition ( with & without timing ) Concurrent composition generalizes both sequential and parallel composition. Here many instances of the protocol are invoked at arbitrary times and proceed at arbitrary pace. Therefore we assume asynchronous model of communication. When extensive multi party computations became a reality, it became clear that it is desirable that cryptographic protocols maintain their security under concurrent composition. Thus two models are discussed in literature Concurrent Composition in Asynchronous Model Concurrent Composition in Timing model.

Concurrent Composition in Asynchronous model In comparison to timing model the pure asynchronous model is simple and using it requires no assumptions about the underlying communication channels, however it seems harder to construct ZK proofs for this model. Research has focused on determining the round complexity of concurrent ZK proofs of NP. The current state of art is as follows Under standard intractability assumptions, every language in NP has a concurrent ZK proof with almost logarithmically many rounds. Further more, ZK property can be demonstrated by black box simulator. Though black box simulator cannot demonstrate the concurrent ZK property of non trivial proofs having significantly less than logarithmically many rounds Recently it was demonstrated that black box simulator barrier can be bypassed for NP which maintain security as long as an a – priori bounded number of executions take place concurrently.

Concurrent Composition under timing model This model was introduced by Dwork. They assumed that each party holds a local clock s.t. the relative clock rates are bounded by an a priori known constant and consider protocols that employ time driven operations. The disadvantages of timing model are The timing model consists of the assumption that talking about the actual timing of events is meaningful and of the introduction of time driven operations. The timing model assumption amounts to postulating that each party holds a local clock and knows a global bound denoted by p>=1 in the relative rates of he local clocks But in out opinion these timing model are more reasonable, and are unlikely to restrict the scope of application.

Zero Knowledge in other models Multi prover Interactive proofs In the multi prover interactive proof, the prover is split into several entities and the restriction is that these entities cannot interact with each other. Actually the formulation allows them to coordinate their strategies prior to interacting with the verifier but it is crucial that they themselves do not exchange messages. Eg. Police interrogating with all the suspects individually. Strict Computational Soundness The Prover ‘s running time is monitored by the verifier that may run for a longer time, and the prover’ s utility is due to an auxiliary input that it has.