1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

2 Notation Let A and B be a pair of ITMs (interactive TMs). (x) is the random variable representing the (local) output of B when interacting with machine A on common input x, when the random-input to each machine is uniformly and independently chosen. 17.1

3 Zero Knowledge (Definition)  Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L holds { (x)} x  L  {M * (x)} x  L  Machine M * is called the simulator for the interaction of V * with P.

4 Perfect Zero Knowledge (Definition) Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L the distributions { (x)} x  L and {M * (x)} x  L are identical, i.e., { (x)} x  L  {M * (x)} x  L

5 Example A trivial simulator for Example A trivial simulator for  Let V be a verifier that satisfies the definition of IP - when x  L, V accepts with probability close to 1, and when x  L, V accepts with probability close to 0.  Let M be the simulator that always accepts.  When x  L the distributions (x) and M(x) are very close.

6 Statistically close distributions (Definition) The distribution ensembles {A x } x  L and {B x } x  L are statistically close or have negligible variation distance if for every polynomial p() there exits integer N such that for every x  L with |x|  N holds:   |Pr [A x =  ] – Pr [B x =  ]|  1/p(|x|).

7 Statistical zero-knowledge (Definition) Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are statistically close.

8 Computationally indistinguishable (Definition) Two ensembles {A x } x  L and {B x } x  L are computationally indistinguishable if for every probabilistic polynomial time distinguisher D and for every polynomial p() there exists an integer N such that for every x  L with |x|  N holds |Pr [D(x,A x ) = 1] – Pr [D(x,B x ) = 1]|  1/p(|x|)

9 Computational zero-knowledge (Definition) Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are computationally indistinguishable.

10 Lemma: BPP  PZK Proof: Since L  BPP, V can be set to a probabilistic polynomial time machine that decides L. P is deterministic and never sends data to V. Clearly is an interactive proof system (completeness and soundness conditions hold). (P,V) is PZK because for every V * : { (x)} x  L  {V * (x)} x  L V* is a simulator for itself!

11 Graph isomorphism is in Zero-Knowledge  ISO := {(, ) | G 1  G 2 } Construction (ZK IP for ISO):  Common input: G 1 = (V 1, E 1 ), G 2 = (V 2, E 2 ).  Let  be an isomorphism between G 1 and G 2. S uppose that |V 1 | = |V 2 | = n. 17.2

12 Construction (cont.) (P1): P selects a random permutation  over V 1, constructs the set F where F := { (  (u),  (v)) : (u,v)  E 1 }, and sends H = (V 1,F) to V. (V1): V gets G’ = (V’,E’) from P. V selects  R {1,2} and sends it to P. P is supposed to answer with an isomorphism between G  and G’.

13 Construction (cont.) (P2): If  =1, then send  =  to V. Otherwise, send  =    -1 to V. (V2): If  is an isomorphism between G  and G’ then V outputs 1, otherwise it outputs 0.

14 Construction (diagram) Prover Verifier  R Sym([n]) H   G 1  R {1,2} If  =1, send  = , otherwise  =    -1  Accept iff H =  (G  )  H

15 An example: G1G1G1G G2G2G2G2 5 4  Common input: two graphs G 1 and G 2.  Only P knows .

16 An example (cont.) G1G1G1G H  G2G2G2G2  =    -1 Only P knows . P sends H to V. V gets  and accepts. V sends  =2 to P.

17 Theorem: Graph isomorphism is in Zero-Knowledge Theorem 1: The construction above is a perfect zero-knowledge interactive proof system (with respect to statistical closeness).

18 Proof of Theorem 1 Completeness: If G 1  G 2, V always accepts. First, G’=  (G 1 ). If  =1 then  = , Hence:  (G  ) =  (G 1 ) =  (G 1 ) = G’. If  =2 then  =    -1, Hence:  (G  ) =    -1 (G 2 ) =  (G 1 ) = G’. And hence V always accepts when G 1  G 2.

19 Proof of Theorem 1 (cont.) Soundness: Let P * be any prover. If it sends to V a graph not isomorphic neither to G 1 nor to G 2, then there is no isomorphism between G  and G’. Hence V rejects. W.l.o.g, if G’  G 1 then P * can convince V with probability at most 1/2 (V selects  {1,2} uniformly). Hence: when G 1 and G 2 are non-isomorphic: Pr [ (, ) = accept]  1/2

20 Zero Knowledge (Construction of a simulator)  Let V * be any polynomial-time verifier, and let q() be a polynomial bounding the running time of V *.  M * selects a string r  R {0,1} q(|x|) …………011 r =

21 Construction of a Simulator (cont.)  M * selects  R {1,2}.  M * selects a random permutation over V .  M * constructs G’’=  (G  ). 2  =  = G’’ G2G2G2G2  Meaning:  (2)=1

22 Construction of a Simulator (cont.)  M * runs V * with the latter’s strings set as follows:  Denote  as V * ‘s output. r x G’’ 2  = input-tape random-tape message-tape If it were the case that  ≠ , then the simulation would fail.  M * halts with output (x,r,G’’,  ).

23 Proof of Theorem 1 (cont.) Zero-knowledge: Construct a simulator M * as follows:  Let q() be a polynomial bounding the running time of V *. M * selects a string r  R {0,1} q(|x|) as the contents of the random tape of V *.  Simulating (P1): M * randomly selects a “bit”  {1,2} and a permutation  (on the set V  ). Then constructs G’’=  (G  ).

24 Construction of M * (cont.)  Simulating (V1): M * puts x on V * ’s common input-tape, puts r on V * ’s random-tape and puts G’’ on V * ’s incoming messages-tape. After executing V * (in a polynomial number of steps), M * reads the outgoing message of V *, denote . (assume  {1,2}, otherwise P may ignore  and wait for a valid one).  Simulating (P2): if  =  then M * halts with output (x,r,G’’,  ). Otherwise (failure of the simulation), M * halts with .

25 Proof of Theorem 1 (cont.) Definition: Let (P,V) be an interactive proof system for L. (P,V) is perfect zero-knowledge by view if for every probabilistic polynomial-time verifier V * there exists a probabilistic polynomial time machine M * s.t. for every x  L holds: {view (x)} x  L  {M * (x)} x  L where view (x) is the final view of V* after running on input x. view = all the data a machine possesses

26 Proof of Theorem 1 (cont.) Lemma: An interactive proof system is perfect zero-knowledge iff it is perfect zero knowledge by view. Proof: Let M * satisfy: {view (x)} x  L  {M * (x)} x  L for every x  L. M * has on its work-tape the final view of V *. Hence, it is able to perform the last step of V * and output the result. And so the modified M * (x) is identical to (x).

27 Proof of lemma (cont.) Let M * satisfy: { (x)} x  L  {M * (x)} x  L. For a particular V *, let us consider a verifier V ** that behaves exactly like V *, but outputs its whole view (at the end). There is a machine M ** s.t. { (x)} x  L  {M ** (x)} x  L

28 Proof of Theorem 1 (cont.) Lemma: Let x=(G 1,G 2 )  ISO. Then for every string r, graph H and permutation , it holds that: Pr [view (x) = (x,r,H,  )] = Pr [M * (x) = (x,r,H,  ) | M * (x)   ] Proof: Let m * describe M * conditioned on its not being . Define the 2 random variables: 1.v(x,r) - the last 2 elements of view (P,V*) (x) conditioned on the second element equals r. 2.  (x,r) - the same with m * (x).

29 Proof of lemma (cont.) Let v * (x,r,H) denote the message sent by V * for a fixed r and an incoming message H. We will show that v(x,r) and  (x,r) are uniformly distributed over the set: C x,r := {(H,  ): H=  (G v*(x,r,H) ) } While running the simulator we have H=  (G  ), and only the pairs satisfying  =v * (x,r,H) lead to an output. Hence: Pr(  (x,r)=(H,  )) = { 1/|V 1 |! if H=  (G v*(x,r,H) ) { 0 otherwise

30 Proof of lemma (cont.) Consider v(x,r): v(x,r) = { (  (G 1 ),  ) if v * (x,r,  (G 1 ))=1. { (  (G 2 ),    -1 ) otherwise. For each H (which is isomorphic to G 1 ): Pr(  (x,r)=(H,  )) = { 1/|V 1 |! if  =    1-v*(x,r,H) { 0 otherwise Observing that H=  (G v*(x,r,H) ) iff  =    1-v*(x,r,H) and hence the lemma follows. 

31 Proof of Theorem 1 (cont.) Corollary: view (x) and M * (x) are statistically close. Proof: A failure is output with probability 1/2. If the simulator returns steps P1-P2 of the construction |x| times and at least once at step P2  = , then output (x,r,G’’,  ). If in all |x| trials , then output rubbish. Hence, we got a statistical difference of 2 -|x|, and so the corollary follows.

32 Zero-Knowledge for NP  Reminder: NP is like IP with 1/2 round.  We can define NP-ZK as ZK with 1/2 round, but it would be equivalent to BPP:  Lemma: If L admits a zero-knowledge NP- proof system, then L  BPP.  Proof: The simulator for accepting L is a BPP machine. 17.3

33 G3C  Common Input: A graph  P can paint the graph in 3 colors.  P must keep the coloring a secret.

G3C is in Zero-Knowledge  P chooses a random color permutation.  He puts all the nodes inside envelopes.  And sends them to the verifier. Construction (ZK IP for G3C):

35 G3C is in ZK (cont.)  Verifier receives a 3- colored graph, but colors are hidden  He chooses an edge at random.  And asks the prover to open the 2 envelopes.

36 G3C is in ZK (cont.)  Prover opens the envelopes, revealing the colors  Verifier accepts if the colors are different.

37 Formally,  G = (V,E) is 3-colorable if there exists a mapping so that for every.  Let  be a 3-coloring of G, and let  be a permutation over {1,2,3} chosen randomly.  Define a random 3-coloring.  Put each  (v) in a box with v marked on it.  Send all the boxes to the verifier.

38 Formally, (cont.)  Verifier selects an edge at random asking to inspect the colors.  Prover sends the keys to boxes u and v.  Verifier uses the keys to open the boxes.  If he finds 2 different colors from {1,2,3} - Accept.  Otherwise - Reject.

39 G3C (diagram)  (1)  (n)  (2) 12n P V P V Key u, key v P V

40 The construction is in ZK:  Completeness: If G is 3-colorable and both P and V follow the rules, V will accept.  Soundness: Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be colored badly:  (u) =  (v). V will pick a bad edge with probability 1/|E|, which can be increased to 2/3 by repeating the protocol sufficiently many times.

41 Zero Knowledge (Construction of a simulator)  Let V * be any polynomial-time verifier, and let q() be a polynomial bounding the running time of V *.  M * selects a string r  R {0,1} q(|x|) …………110 r =

42 Construction of a Simulator (cont.)  M * selects e’=(u’,v’)  R E.  M * sends to V * boxes filled with garbage, except for the boxes of u’ and v’, colored as follows: cd u’v’  Otherwise, the simulation fails. C  R {1,2,3} d  R {1,2,3}\{c}  If V * picks (u’,v’), M * sends V * their keys and the simulation is completed.

43 Analysis of the Simulation For every G  G3C, the distribution of m * ( ) = M * ( ) | (M * ( )   ) is identical to ( ). Since V * can’t tell e’ from other edges by looking at the boxes, he picks e’ with probability 1/|E|, which can be increased to a constant by repeating M * sufficiently many times. So if the boxes are perfectly sealed, G3C  PZK. 

44 Commitment Scheme  Digital implementation of a “sealed box”.  Commitment Scheme is a 2-phase protocol satisfying:  Secrecy: At the end of phase #1, R (Receiver) can’t tell what value is being sent.  Unambiguity: Given the transcript of phase #1, there’s at most one value R may accept as legal at phase #2.

45 Commitment Scheme  Denote S(s,  ) the message S (Sender) sends to R when committing itself to bit  and his random coins are s.  Secrecy means S(s,0) and S(s,1) are computationally indistinguishable.  Unambiguity means R can’t be fooled to think S(s,0) = S(s’,1) for any s and s‘.

46 Commitment Scheme  Unambiguity: Denote by r the coin tosses of R, and by View(R) everything known to R after having received m (S(s,  ) in this case) and tossed r. Denote by View(S) everything known to S from s and . Then for all but a negligible fraction of r‘s there’s no such m for which there are s and s‘ s.t. View(S)=(s,0) and View(R)=(r,m) andView(S)=(s’,1) and View(R)=(r,m)

47 Commitment Scheme Construction:  f:{0,1} n  {0,1} n is one-way permutation. b:{0,1} n  {0,1} is its hard-core bit.  S wants to send v  {0,1} to R.  Phase #1: S selects s  R {0,1} n and sends (f(s), b(s)  v) to R, who stores them as ( ,  ) respectively.  Phase #2: S sends s as key. R calculates v =  b(s), and accepts if f(s) = . Otherwise rejects.

48 Commitment Scheme  Proposition: This protocol is a bit commitment scheme. Proof:  Secrecy: For every receiver R * consider the distribution ensembles (1 n ) = (f(s),b(s)) and (1 n ) = (f(s),b(s)  1) b(s) is unpredictable given f(s) and so the two ensembles are computationally indistinguishable.

49 Commitment Scheme  Unambiguity follows from f being one- to-one. 

50 G3C+Commitment Scheme  Proposition: G3C that uses bit commitment schemes instead of “magic boxes” is computational zero-knowledge. Proof:  Completeness: P can convince V by sending the “right keys” of the commitment schemes for the colors of the vertices V selected. 17.8

51 G3C + Commitment Scheme  Soundness: Commitment scheme unambiguity ensures soundness is still satisfied. P may succeed to cheat V on phase #2 of commitment (in addition to the possibility that V won’t select a badly colored edge). However, this increases only by a little the probability of accepting G  G3C.

52 G3C + Commitment Scheme  Computational Zero-Knowledge: Let M * be the simulator for V * from the previous proof. 1) Pr[M*(x)=  ] is still small enough. 2) The ensembles of {m*( )} G  G3C and { ( )} G  G3C are computationally indistinguishable.

53 G3C + Commitment Scheme  Computational Zero-Knowledge (cont.): Namely, for every probabilistic polynomial time algorithm, A, every polynomial p(.), and every sufficiently large graph G=(V,E):

54 Blackbox Zero Knowledge  Definition: Let (P,V) be an IP for a language L. (P,V) is a blackbox zero knowledge if there exists an oracle machine M s.t. for every verifier V * : { (x)} x  L  {<M V* (x)} x  L 17.9

55 Blackbox Zero Knowledge  Theorem: (given without proof) If there is a (P,V) with negligible error probability for language L that satisfies: - Public coin proof system. - Constant number of rounds. - Blackbox zero-knowledge. Then L  BPP.

56 Blackbox Zero Knowledge  Blackbox is preserved under sequential composition.  Blackbox is not preserved under parallel composition !!!  G3C is blackbox zero-knowledge.

57 Blackbox Zero Knowledge  G3C failure probability is 1-1/|E|, hence it is not negligible.  Error becomes negligible by repeating G3C polynomially many times sequentially or in parallel.  Sequential repetition - number of rounds not constant.  Parallel repetition - not a blackbox.

58 Blackbox Zero Knowledge  If G3C could satisfy theorem 11, then G3C  BPP and hence NP  BPP.  All known ZK systems are blackbox.  ZK for a language outside BPP should either use non-constant number of rounds or use private coin.

59 Randomness and ZK  In IP, V must be random to satisfy soundness.  In ZK, P must be random to satisfy zero-knowledge.  If L has ZK proof in which either P or V is deterministic, then L  BPP