Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

Published byMakenna Hadwin Modified over 9 years ago

Similar presentations

Presentation on theme: "The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University."— Presentation transcript:

1 The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University

2 A Successful Marriage Complexity Theory: Which problems are “computationally hard” to solve? Cryptography: Design protocols that are “computationally hard” to break. hard problems, techniques revisit notions, adversarial view

3 Two Areas of Interaction Pseudorandomness: generating objects that “look random” despite being constructed with little or no randomness. –Cryptography: many unpredictable bits from short key –Complexity: power of randomized algs (RP vs. P, RL vs. L) Zero-knowledge proofs: interactive proofs that reveal nothing other than validity of assertion being proven –Cryptography: central in study of crypto protocols –Complexity: augments NP $ “efficiently verifiable proofs”

4 This Talk Complexity-theoretic study of zero-knowledge proofs: Characterize the expressiveness of ZK. Prove general theorems about ZK. Minimize or eliminate complexity assumptions.

5 YESNO Promise Problem excluded inputs Promise Problems [ESY84] P = {  : can decide if x 2  Y or x 2  N in poly(|x|) time} = “feasible problems” YESNO Language

6 3-C OLORING Given: a map M Decide: can it be colored w/3 colors s.t. no two adjacent countries have the same color? Formally:  Y = { maps M : M is 3-colorable}  N = { maps M : M is not 3-colorable} Fastest known algorithm: 2 O(n) http://www.ctl.ua.edu/math103/

7 3-C OLORING Given: a graph G Decide: can it be colored w/3 colors s.t. no two adjacent vertices have the same color? Formally:  Y = { graphs G : G is 3-colorable}  N = { graphs G : G is not 3-colorable} Fastest known algorithm: 2 O(n)

8 NP Proof Systems Def: An NP proof system for  is an algorithm V s.t. –Completeness: x 2  Y ) 9  V(x,  )=accept –Soundness: x 2  N ) 8  * V(x,   )=reject –Efficiency: V(x,  ) runs in time poly(|x|). Example: 3-coloring –V(G,  ) = accept iff  is a valid 3-coloring of G

9 NP Proofs Def: An NP proof system for  is an algorithm V s.t. –Completeness: x 2  Y ) 9  V(x,  )=accept –Soundness: x 2  N ) 8  * V(x,   )=reject –Efficiency: V(x,  ) runs in time poly(|x|). The P=NP Question –Do mathematical proofs ever save time? –Is exhaustive search ever necessary? NP-completeness [C71,K72,L73] –every NP problem can be reduced to 3-coloring. Q: What does one learn from a proof? ?

10 Zero-Knowledge Proofs [GMR85] Efficiency: V runs in time poly(|x|). Completeness: x 2  Y ) Pr[V accepts] ¸ 2/3 Soundness: x 2  N ) 8 P  Pr[V accepts] · 1/3 Zero Knowledge: x 2  Y ) 8 V * V * “learns nothing” else poly-time Verifier V unbounded Prover P x accept/reject m1m1 m2m2 m3m3 m4m4 “security” conditions

11 Zero-Knowledge Proofs [GMR85] Flavors –Statistical: security vs. computationally unbounded P *,V * –Computational: security vs. poly-time P *,V * Cryptographic Protocols –Encryption, digital signatures, privacy-preserving datamining, electronic voting,… –Testbed for composability, concurrency, … Complexity Theory – SZK = {  2 NP :  has a statistical ZK proof} – ZK = {  2 NP :  has a computational ZK proof}

12 3-C OLORING 2 ZK [GMW86] unbounded Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6

13 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 1 2 3 4 5 6 3-C OLORING 2 ZK [GMW86] unbounded Prover

14 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. (Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1 3-C OLORING 2 ZK [GMW86] unbounded Prover

15 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Soundness: graph not 3-colorable ) 8 P * V rejects w.p. ¸ 1/(#edges) 3-C OLORING 2 ZK [GMW86] unbounded Prover

16 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover 3-C OLORING 2 ZK [GMW86] unbounded Prover

17 How to implement boxes? Bit commitment: Hiding: Com(  ) & Com(  ) indistinguishable. ( ) zero knowledge) Binding: W.h.p. z can be opened to only one value  2 {0,1}.  )  soundness  Receiver Sender commit stage: reveal stage: ( ,K)  z K accept/ reject

18 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) 3-C OLORING 2 ZK [GMW86] unbounded Prover

19 poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 ) NP µ ZK [GMW86] x unbounded Prover

20 Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes x f(x) easy hard

21 Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes p,q p£qp£q easy hard

22 Thm: If one-way functions exist, –Computationally hiding, statistically binding bit-commitment schemes exist [HILL90,Nao91]. –Statistically hiding, computationally “1-out-of-2-binding” bit-commitment schemes exist [NOV06]. ) all of NP has zero-knowledge proofs (with either security property statistical). Existence of Commitment Schemes minimal but stronger than P  NP

23 General Results on ZK ZK = NP. ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union … Thm [GMW86,HILL90,Nao91]: Q: What can we prove about ZK unconditionally? Assuming one-way functions exist...

24 Unconditional Results on SZK SZK contains Q UADRATIC R ESIDUOSITY [GMR85], G RAPH I SOMORPHISM [GMW86],... SZK=SZK w/perfect completeness [O96] SZK closed under complement, union [O96] Complete Problems [SV97,GV99] SZK=honest-verifier SZK [GSV98] SZK=SZK w/poly-time prover [NV06] … But more constrained: SZK µ coAM [F86,AH87] ) unlikely to contain NP. Thms:

25 Unconditional Results on ZK New characterizations of ZK ZK = ZK w/perfect completeness ZK = ZK w/poly-time prover ZK = honest-verifier ZK ZK closed under union ZK Å coNP closed under complement... Thm [V04,NV06,OV06]: Assuming one-way functions exist...

26 How to get unconditional results on ZK? Thm [OW93]: If ZK  RP, then a “weak form” of one-way functions exist. Idea: Case analysis. –Case I: ZK=RP. Everything trivial. –Case II: ZK  RP. Use above OWF in conditional results. Problem: “Weak form” of OWF not enough (cf. [DOY97]) Our approach: –replace RP by SZK –case analysis on input-by-input basis –combine OWF-based results w/unconditional results on SZK

27 The SZK/OWF C ONDITION Def:  satisfies the SZK/OWF C ONDITION if 9 I µ  Y, J µ  N, 9 poly-time { f x (y)} x 2 {0,1} * s.t. 1.Ignoring I and J,  is in SZK. 2.When x 2 I [ J, f x is hard to invert. Y N  I in SZK instances yield OWF Note: 9 OWF ) every problem satisfies above. J Y N y f x (y) easy hard

28 ZK Characterization Theorem Thm [V04,OV06]:  2 ZK m  2 NP and  satisfies SZK/OWF C ONDITION Y N  I in SZK instances yield OWF J Y N Moreover: ZK statistical, I = ; soundness statistical, J = ; “Zero Knowledge & Soundness are Symmetric”

29 Proof of the Characterization Thms  2 honest-verifier ZK even w/inefficient prover  satisfies SZK/OWF C ONDITION.  2 ZK w/perfect completeness, poly-time prover,… +  2 NP

30 From SZK/OWF to ZK Idea: Use SZK proof when x  I [ J, use NP proof system when x 2 I [ J (with f x as OWF) Problem: cannot efficiently decide whether x 2 I [ J. Thm:  satisfies SZK/OWF C ONDITION and  2 NP, )  2 ZK w/perfect completeness, poly-time prover,... Y N I J SZK OWF

31 Sol’n: Instance-dependent Commitments Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t. –x 2  Y ) hiding –x 2  N ) binding Example [BMO90]: G RAPH I SOMORPHISM –aux. input = (G 0,G 1 ) –commitment to  = random isomorphic copy of G  –perfectly hiding and perfectly binding! H B

32 Usefulness of I.D. Commitments –x 2  Y ) hiding –x 2  N ) binding Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness). Lemma [IOS94,MV03]:  2 NP and  has instance-dependent commitments )  2 ZK w/perfect completeness, poly-time prover, … H B

33 Prover poly-time Verifier 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) 1 2 3 4 5 6 4. Accept if colors different. 3. Send keys for endpoints. Com x ( )…Com x ( ) (,K 1 ),(,K 4 ) From SZK/OWF to ZK x

34 I.D. Commitments from SZK/OWF H B H B SZK has stat. hiding, stat. 1-out-of-2-binding i.d. commitments [NV06] OWF ) comp. hiding, stat. binding commitments [HILL90,N91] OWF ) stat. hiding, comp. 1-out-of-2-binding commitments [NOV06] Com SZK Com I Com J SZK/OWF C ONDITION ) comp. hiding comp. 1-out-of-2-binding i.d. commitments Com SZK (b © r), Com I (r), Com J (b) H B B H

35 Conclusions ZK continues to be an lively interface between cryptography and complexity theory. SZK/OWF Characterizations of ZK ) unconditional results Variations on commitments –Instance-dependent commitments –1-out-of-2-binding commitments Happy Thanksgiving!

36 Extra slides

37 Computational Complexity Theory Arithmetic on n-bit numbers: –Addition: time O(n) –Multiplying: time O(n 2 ) –Factoring: time ~2 n/2 Computational problems: –Network Flows, Finding Nash Equilibria, Decoding Error- Correcting Codes, Partition Function of Ising Model, Protein Folding, Proof Verification, … Resources: –Space (memory), randomness, parallelism, interaction, quantum mechanics, … “What problems can and cannot be solved with limited computational resources?” O(n lg n lglg n) [SS71] ~2 O(n 1/3 ) [BLP94] easy (poly-time) hard?

38 Goals of Complexity Theory Lower Bounds –Prove that there are no efficient algorithms to solve certain problems. –Success only for limited models of computation –P  NP seems far out of reach. Establish Relationships –Between problems, e.g. NP-completeness [C71,K72,L73] –Between resources, e.g. Hardness vs. Randomness [BM82,Y82,NW88]: intractable problems  derandomization (take CS225!)

39 Modern Cryptography Protocols for secure communication & computation in the face of adversarial behavior. –Encryption, digital signatures, SSL, e-voting, … Goal: “breaking” scheme computationally intractable –Information-theoretic security usually impossible [Sha49] Based on complexity theory [DH76,RSA78,Rab79]

40 Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs.

41 p£qp£q Protocols SSL, E-voting, Auctions Primitives Encryption, Signatures, Zero-knowledge Proofs Hard Problems Factoring, RSA, MD5, DES Complexity Theory Secure Systems From Art to Science Convincing definitions of security [GM82,...], rigorous proofs. Goal: use assumptions that are as weak & general as possible. Ex: one-way functions easy hard Conjectures p,q

42 1-out-of-2-Binding Commitments Sender Receiver commit 1 : reveal 1 : (  ,K 1 )  K1K1 z1z1 commit 2 : reveal 2 : (  ,K 2 )  K2K2 z1z1 Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness

43 1-out-of-2-binding Commitments ) ZK for NP Prover Verifier Commit 1 (coloring) Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness Edge Reveal 1 Commit 2 (coloring) Edge Reveal 2 Intuitive idea: Run 3-coloring protocol twice

Download ppt "The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University."

Similar presentations

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Function Technique Eduardo Pinheiro Paul Ilardi Athanasios E. Papathanasiou The.

Function Technique Eduardo Pinheiro Paul Ilardi Athanasios E. Papathanasiou The.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
The Complexity of Zero Knowledge Salil Vadhan Harvard University.

The Complexity of Zero Knowledge Salil Vadhan Harvard University.

Similar presentations

Ads by Google