Interactive Proofs and Secure Multi-Party Computation Based in part on materials from Cornell class CS 4830.
Interactive Proofs A prover must convince a verifier that some statement is true. Typically the prover is thought of as all powerful, while the verifier has limited computational ability. The verifier doesn’t trust the prover.
Sudoku How can the prover convince the verifier that this puzzle has a solution?
Interactive Proof Prover shows the verifier a solution. Verifier checks every row, column, 3x3 box.
Pepsi Challenge Professor Maggs claims that he can distinguish Pepsi from Coke without ever making an error. How can this claim be verified?
Experiment: Morton: Randomly decides (with equal probability) on Coke or Pepsi and hands the professor a glass containing the chosen drink. Professor: Takes a sip of the drink and announces “Coke” or “Pepsi”. Morton: Notes whether the announcement was correct, and repeats.
Verifying the Claim Suppose that the professor can actually only correctly identify a Coke or a Pepsi with probability p. After t trials, the probability that the professor gets the answer correctly every time is pt. Example, for p = 0.9, t = 100, pt < 0.00003
Zero-Knowledge Proof Prover wants to convince verifier that prover knows a solution to a problem without revealing any information about the solution.
Hamilton Path A graph has a Hamilton path if there is a path through the graph that visits every vertex exactly once. 1 5 2 6 4 7 3
Zero-Knowledge Proof Prover: Draw the graph on a piece of cardboard with vertices positioned at random places. Don’t write down the labels, 1,…,n, of the vertices. Cover everything in the drawing except the vertices with scratch-off paint. Give the cardboard to the verifier
Verification The verifier flips an unbiased random coin, then based on the outcome asks the prover to do one of two things: 1: Scratch off all the paint and then label the vertices. The verifier then checks that the drawn graph matches the original input graph. 2: Scratch off just enough paint to reveal the edges of a Hamilton path. The verifier then knows that the drawn graph is Hamiltonian. If the graph is Hamiltonian, the prover always succeeds. If the graph is not Hamiltonian, the prover fails with probability ½.
Zero Knowledge The verifier never learns anything about the Hamilton path. Revealing a labeled drawing of the graph provides no new information. 4 6 7 2 3 5 1
Zero Knowledge Revealing a path, but no other edges, connecting n unlabeled vertices at random positions provides no new information.
Reduction to Hamilton Path Note that Hamilton Path is NP-complete, i.e., every other problem in NP can be reduced to Hamilton Path ZKP for Hamilton Path → ZKP for all NP!
How to flip a coin over the Internet 1. First party chooses a random number X in the range [0-,2256) publishes A := SHA256(X) 2. Second party likewise chooses a number Y publishes B := SHA256(Y) 3. After receiving A,B, both parties reveal X and Y If (X+Y) is even, first party wins. What if first party waits to see SHA256(Y) before choosing X? What if first party tries to change X after seeing Y?
Scratch-off Paint Implemented by publishing hash to commit to a value that will be revealed later
Graph Isomorphism Two graphs G1=(V,E1) and G2=(V,E2) are isomorphic if there is a bijection f:VV s.t. {u,v}E1 {f(u),f(v)} E2. (Not known to be in P, or to be NP-hard.) 1 2 1 2 3 4 3 4
Zero-Knowledge Proof Prover randomly relabels the vertices of G1 and publishes the resulting graph Gr. Gr is also a random relabeling of the vertices of G2. Verifier randomly chooses to see isomorphism between G1 and Gr or between Gr and G2. If prover knows bijection from G1 to G2, then it can produce both of these bijections. If prover doesn’t know, then one must be incorrect. Verifier either gets a random relabeling of G1 or a random relabeling of G2.
Example G1 Gr G2 1 2 1 2 1 2 3 4 3 4 3 4
Zcash Cryptocurrency A privacy-preserving version of BitCoin Addresses and amounts for transactions involving “zerocoins” are not publicly visible in the BlockChain Nevertheless, the correctness of each transaction can be verified using a zero-knowledge proof.
Secure Multi-Party Computation Each party i holds an input xi. The parties wish to compute a function f(x1, x2, …, xn). No party should learn anything about any other party’s input except what is implied by the value of the function. - all in the absence of a trusted third party -
Two-Party Secure AND Computation Alice and Bob wish to know whether they mutually have feelings for each other. If both have feelings for the other, great! If Alice loves Bob but Bob does not love Alice back, Alice will be embarrassed -- she would not want Bob to know that she loves Bob (or vice versa)
Securely computing AND truth table A B AND 0 0 0 0 1 0 1 0 0 1 1 1 both learn the others’ input by definition Bob does not learn which case Alice does not learn which case
Protocol place Alice’s input cards, heart, Bob’s input cards in order, face down shuffle (cycle shift) reveal
The Room Suppose there is a room with two doors on opposite walls and no windows. Alice and Bob walk to opposite doors. At an agreed time, if either party likes the other, they open their door and look across the room to the opposite door.
Yao’s Millionaires’ Problem Alice and Bob want to determine who has more millions. Suppose Alice has I millions and Bob has J millions, where 1 ≤ I,J ≤ 10. Neither party should learn anything about the net worth of the other except who has more millions.
Yao’s First Algorithm (Sketch) Bob picks a secret random number x and encrypts it with Alice’s public RSA key, C = E(x). Bob then sends m = C – J + 1 to Alice, which looks random. Alice decrypts m, m+1, m+2, …, m+9, i.e., Yi = D(m+i-1), 1 ≤ i ≤ 10. The Yi look like random numbers. YJ is Bob’s secret x, but Alice doesn’t know J and can’t distinguish YJ from the other Yi. Bob cannot compute the Yi (except YJ) because he can’t decrypt m, m+1, m+2, …, m+9 (For simplicity, let’s assume that none of the Yi are consecutive numbers) For i ≤ I, Alice sets Wi = Yi. For i > I, Alice sets Wi = Yi+1 I.e., Alice adds 1 to Yi for each i larger than her own wealth I. Alice sends W1, W2, …, W10 to Bob. If WJ = x, then Alice has more millions (I > J), otherwise Bob has more. Note Bob cannot compare the Wi to the Yi because he can’t compute the Yi.
Related Example Alice, Bob, and Trent bid in an auction. Only the second highest bid and the winning bidder should be revealed.
Multiparty TLS Computation Two parties hold shares of the split private RSA key. The parties implement functions such as decryption and signing without learning each other’s shares of the other party.