Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Knowledge Proofs. 20 Years after its Invention

Published byNoel Ramsey Modified over 6 years ago

Similar presentations

Presentation on theme: "Zero Knowledge Proofs. 20 Years after its Invention"— Presentation transcript:

1 Zero Knowledge Proofs. 20 Years after its Invention
Author Oded Goldreich Dept. of CS & Applied Mathematics, Weizmann Institute of Science, Israel. Presented by Mr. Sameer Seth

2 Abstract Zero Knowledge Proofs are proofs that are both convincing and yet yield nothing beyond the validity of the assertion being proved. We will survey the main developments regarding Zero - Knowledge , starting from the basic definitions and reaching the most recent and sophisticated results in this area.

3 Contents Introduction The Basics Preliminaries Definitional Issues
Interactive Proofs & Argument systems Computational Difficulty and One – Way functions Definitional Issues The Basic Definition Variants Universal & Black Box Simulators Honest Verifier vs. General Cheating Verifier Statistical Vs. Computational ZK Strict Vs. expected probabilistic Polynomial – time

4 Contents Introduction Advanced Topics Composing ZK Protocols
Sequential Composition Parallel Composition Concurrent Composition ( With & Without timing ) ZK Proofs in other models

5 Introduction They are fascinating because of their seemingly contradictory definition and extremely useful constructs. They are typically used to force malicious parties to behave according to a predetermined protocol. Typical applications of ZK Proofs are Preservation of security under various forms of protocol composition Use of Adversary program within proof of security.

6 Basics (Definition) The ZKP is formulated by saying that anything that is feasibly computable from a ZKP is also feasibly computable from the assertion itself. Variants on the basic def. are Consideration of Auxiliary inputs. Mandating of universal and black – box simulations Restricting attention to honest verifiers The level of Similarity required for simulation. Zero Knowledge proofs exist for any NP-set, provided, One way functions exist for that set.

7 Example of ZK Proof system

8 Preliminaries Modern Cryptography is concerned with the construction of efficient schemes for which it is in feasible to violate the security feature. The computations of the legitimate users of the scheme ought to be efficient whereas violating the security feature ought to be infeasible. Efficient computations are commonly modeled by computations that are polynomial – time in security parameter. The polynomial bounding the running – time of the legitimate user’s strategy is fixed and typically explicit. Randomized computations play a central role in the definition of ZK. We allow the legitimate users to employ randomized computations. This brings up issue of success probability: typically we require legitimate users to succeed with probability 1 ( or very close to 1 ) and adversaries to succeed with negligible probability. A Rare event should occur rarely even if we repeat the experiment for a feasible number of times.

9 Preliminaries We consider negligible as any function, A : N  [0,1]
That vanishes faster than the reciprocal of any polynomial.

10 Interactive Proofs and Argument System
The standard notion of static proofs will not do, because static ZKP exist only for sets that are easy to decide. Whereas we are interested for arbitrary NP-sets. We will use the notion of an Interactive Proof. Here the proof is a (multi round ) randomized protocol for two parties verifier and prover, in which prover wishes to convince verifier of the validity of given assertion. Both Completeness and soundness conditions should hold with high probability. The verifier has to be probabilistic polynomial time. If the assertion is false, the verifier must reject with “Noticeable” probability, no matter what strategy is being applied by prover.

11 Interactive Proofs Definition
An IP system for a set S is a two party game, between a verifier executing a probabilistic polynomial time strategy and a prover which executes a computationally unbounded strategy , satisfying Completeness : For every x belongs S the verifier V always accepts after interacting with the prover P on common input x. Soundness : For some polynomial p, it holds that for every x not belonging to S and every potential strategy P*, the verifier V rejects with probability at least 1/p(|x|), after interacting with P* on common input x. Computational Soundness error can be reduced by sequential repetitions, but it cannot be always reduced by parallel repititions.

12 Computational Difficulty and One Way Function
Most positive result regarding ZK Proofs are based on intractability assumptions. Defn. of One Way functions. A function f : { 0,1 }*  { 0,1 }* is called one way if the following two conditions hold. 1. Easy to evaluate : There exists a polynomial time algorithm A such that A(x) = f(x) for every x belongs { 0,1 }*. 2. Hard to invert : For every family of polynomial – size circuits { Cn }, every polynomial p, and all sufficiently large n Pr [ Cn (f(x)) (- f -1(f(x))] < 1/p(n) where probability is taken uniform over all possible choices

13 Basic Definition An interactive strategy A is ZK on the set S if, for every feasible strategy B*, there exists a feasible computation C* s.t. the following probability ensembles are computationally indistinguishable. 1. {( A,B* )(x)} = output of B* after interacting with A on common input x and 2. { C*(x)} = the output of C* on input x.

14 Variants Universal and black box simulation
Further strengthening of definition is obtained by requiring the existence of a universal simulator, denoted C that is given the program f the verifier as an auxiliary input that is in terms with definition, one should replace C*(x,z) by C(x,z, (B*)), where ( B*) denotes the description of program B*. Therefore we effectively restrict the simulation by requiring that it be a uniform function of the verifier program.

15 Variants Honest Verifier Vs. General cheating verifier.
We typically view verifier as an adversary that is trying to cheat. A weaker and still interesting notion of ZK refers to what can be gained by an honest verifier that interacts with the prover as directed with the exception that it may maintain a record of entire interaction. Although such a weaker notion is not satisfactory for a standard cryptographic applications, coz it yields a fascinating notion from a conceptual as well as complexity – theoretic point of view.

16 Variants Statistical Vs. Computational Zero Knowledge
Perfect Zero Knowledge – PZK – It requires that the two probability ensembles to be identical. Statistical Zero Knowledge – SZK – It requires that these probability ensembles be statistically close ( Variation distance betn them be negligible Computational Zero Knowledge CZK – It requires that these probability ensembles be computationally indistinguishable. CZK is most liberal notion, and is the notion considered in definition.

17 Variants Strict Versus Probabilistic Polynomial time.
Strict PPT : There exists a bound on number of steps in each possible run of the machine regardless outcome of its coin tosses. Expected PPT : The standard approach is to look at the running time as a random variable and bound its expectation and an alternative treatment of this random variable is preferable.

18 Advanced Topics The first question of ZK proofs refers to preservation of its security under various types of composition operations. The main facts for ZK protocols are ZK is closed under sequential composition ZK is not closed under parallel composition, yet some ZK preserve their security when many copies are executed in parallel. Some ZK proofs preserve their security when many copies are executed concurrently, but such a result is not known for constant round protocols. For all 15 yrs. All known proofs of security used the adversary’s program as black box and it was believed there is no use in having access to the code of adversary’s program. This property was refuted by a ZK argument that has important properties that are unachievable by black box simulation. When we talk of composition of protocols, we mean that honest users are supposed to follow the prescribed program. That is the actions of honest users in one execution are independent of messages they received in previous executions.

19 Sequential Composition
In this case, the protocol is invoked ( polynomially ) many times, where each invocation follows the termination of the previous one. At the very least, security should be preserved under sequential composition, or else the applicability of protocol is highly limited. Every protocol that is ZK ( Under definition ) is sequential Zero Knowledge.

20 Parallel Composition In this case many instances of the protocol are invoked at the same time and proceed at the same pace. Here we assume a synchronous model and consider many executions that are totally synchronized so that the i th message in all instances is send exactly at the same time. In the early days we interpreted parallel composition was mainly in the context of round efficient error reduction. Since then alternative ways of constructing constant round ZK proofs were found. Interest in Parallel composition has died. In retrospect parallel composition helped to capture preservation of security. Under standard intractability assumptions, every NP set has a constant round parallel ZK proofs

21 Concurrent Composition ( with & without timing )
Concurrent composition generalizes both sequential and parallel composition. Here many instances of the protocol are invoked at arbitrary times and proceed at arbitrary pace. Therefore we assume asynchronous model of communication. When extensive multi party computations became a reality, it became clear that it is desirable that cryptographic protocols maintain their security under concurrent composition. Thus two models are discussed in literature Concurrent Composition in Asynchronous Model Concurrent Composition in Timing model.

22 Concurrent Composition in Asynchronous model
In comparison to timing model the pure asynchronous model is simple and using it requires no assumptions about the underlying communication channels, however it seems harder to construct ZK proofs for this model. Research has focused on determining the round complexity of concurrent ZK proofs of NP. The current state of art is as follows Under standard intractability assumptions, every language in NP has a concurrent ZK proof with almost logarithmically many rounds. Further more, ZK property can be demonstrated by black box simulator. Though black box simulator cannot demonstrate the concurrent ZK property of non trivial proofs having significantly less than logarithmically many rounds Recently it was demonstrated that black box simulator barrier can be bypassed for NP which maintain security as long as an a – priori bounded number of executions take place concurrently.

23 Concurrent Composition under timing model
This model was introduced by Dwork. They assumed that each party holds a local clock s.t. the relative clock rates are bounded by an a priori known constant and consider protocols that employ time driven operations. The disadvantages of timing model are The timing model consists of the assumption that talking about the actual timing of events is meaningful and of the introduction of time driven operations. The timing model assumption amounts to postulating that each party holds a local clock and knows a global bound denoted by p>=1 in the relative rates of he local clocks But in out opinion these timing model are more reasonable, and are unlikely to restrict the scope of application.

24 Zero Knowledge in other models
Multi prover Interactive proofs In the multi prover interactive proof, the prover is split into several entities and the restriction is that these entities cannot interact with each other. Actually the formulation allows them to coordinate their strategies prior to interacting with the verifier but it is crucial that they themselves do not exchange messages. Eg. Police interrogating with all the suspects individually. Strict Computational Soundness The Prover ‘s running time is monitored by the verifier that may run for a longer time, and the prover’ s utility is due to an auxiliary input that it has.

Download ppt "Zero Knowledge Proofs. 20 Years after its Invention"

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Complexity and Cryptography

Complexity and Cryptography

Similar presentations

Ads by Google