Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact."— Presentation transcript:

1 Zero Knowledge Proofs

2 Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:

3 Interactive proof  The verifier’s strategy is a probabilistic polynomial-time procedure.  Correctness requirements: Completeness: There exists a prover strategy P, such that for every x  L, when interacting on a common input x, the prover P convinces the verifier with probability at least 2 / 3. Soundness: For every x  L, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1 / 3.

4 Zero Knowledge Proof Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero- knowledge if for every probabilistic polynomial-time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L holds { (x)} x  L  {M * (x)} x  L Machine M * is called the simulator for the interaction of V * with P.

5 Perfect Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V * there exists a probabilistic polynomial-time machine M * s.t. for every x  L the distributions { (x)} x  L and {M * (x)} x  L are identical, i.e., { (x)} x  L  {M * (x)} x  L

6 Statistical Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are statistically close.

7 Statistical Zero Knowledge Definition-cont.: The distribution ensembles {A x } x  L and {B x } x  L are statistically close or have negligible variation distance if for every polynomial p() there exits integer N such that for every x  L with |x|  N holds:   |Pr [A x =  ] – Pr [B x =  ]|  p(|x|) -1

8 Computational Zero Knowledge Definition: Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V * there exists a probabilistic polynomial-time machine M * s.t. the ensembles { (x)} x  L and {M * (x)} x  L are computationally indistinguishable.

9 Computational Zero Knowledge Definition: Two ensembles {A x } x  L and {B x } x  L are computationally indistinguishable if for every probabilistic polynomial time distinguisher D and for every polynomial p() there exists an integer N such that for every x  L with |x|  N holds |Pr [D(x,A x ) = 1] – Pr [D(x,B x ) = 1]|  p(|x|) -1

10 Graph Isomorphism problem Definition Graph Isomorphism two graphs G 0 =(V 0,E 0 ) and G 1 =(V 1, G 1 ) are isomorphic   permutation  s.t  (u,v)  E 0  (  (u),  (v))  E1 if G 0 and G 1 are isomorphic and  is an isomorphism between G 0 to G 1 we write G 1 =  (G 0 ).

11 Graph Isomorphism problem Graph Isomorphism problem: Given Two Graphs G 1 and G 2 – Are They Isomorphic ? Lemma: GI  ZK Proof: Zero Knowledge Interactive Proof for GI.

12 Zero Knowledge Interactive proof for Graph Isomorphism 1. Repeat the following n times: 2. The Prover chooses a random permutation  of (1…n) and computes H=  (G 1 ) and send it to the verifier. 3. The verifier chooses randomly i=1 or 2 and sends it to the prover.

13 Zero Knowledge Interactive proof for Graph Isomorphism-cont. 4. The prover chooses permutation  s.t H =  (G i ). If i=1 the prover sends  to the verifier otherwise the prover will send   -1.(  is the isomorphism between G 1 and G 2. 5. The verifier checks if H is the image of G i under . 6. The verifier accepts if H is the image of G i in all n rounds.

14 Zero Knowledge Interactive proof for Graph Isomorphism- cont. Prover Verifier  H=  (G 1 ) i=1,2  or   -1 Checks if H is the image of G i R

15 Building simulator M* for graph isomorphism problem We will define simulator M* as follows: Input:(G 0, G 1 )  ISO 1.Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*. 2. Randomly chooses a  {0,1} and permutation  and construct H=  (Ga) send H to V*.

16 Building simulator M* for graph isomorphism problem 3. Receive b from V*. If b  {0,1} then outputs {RANDOM,H,b} and STOP. If a =b then outputs {RANDOM,H,b,  } and STOP;else GOTO 1.

17 Zero-Knowledge Password Proofs 1. The prover finds two large primal numbers - p and q and sends n=pq to the verifier 2. r is a random number belongs to [n, n 4 ]. The prover sends x 2 modn and r 2 modn to the verifier. 3. The verifier then randomly asks for r or xr and checks the prover.

18 Zero-Knowledge Password Proofs Prover Verifier n=pq x 2 modn r 2 modn Asks for xr or r xr or r Checks the Prover

19 NP and Zero Knowledge proofs Lemma: NP  ZK Proof: 3col  ZK.

20 Zero Knowledge proof for 3col problem 1. The prover randomly chooses a permutation . Computes  (c(v)), puts in envelopes and sends to the verifier. 2. The verifier chooses randomly: (u,v)  E and opens the envelope. If the colors are different and legal he answers “yes”.

21 Zero Knowledge proof for 3col problem Prover Verifier permutation .  (c(v)) Chooses (u,v)  E envelope Checks that colors are different

22 ZK protocol for Co-SAT Transform the CNF to a polynom by these transformation rules: 1. T  positive value 2. F  0 3. X i  X i 3.  X i  (1-X i ) 4. OR  + 5. AND 

23 ZK protocol for Co-SAT The protocol: 1. The prover selects a prime number q > 2 n 3 m and sends to the verifier. 2. The verifier checks that q is prime. If q isn’t prime halts and rejects.

24 ZK protocol for Co-SAT 3. V 0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom P i that it’s rank is at most m. The construction of P i : P 1 (x)=  x n =0,1 ….  x n=0,1 p(x 1 … x n ) P 2 (x)=  x n =0,1 ….  x n=0,1 p(r 1, x, x 3 … x n ) P n (x)= p(r 1,... R n-1, x n ) the prover puts polynom P i in envelopes and send to the verifier.

25 ZK protocol for Co-SAT 4. The prover moves to the next stage(i=i+1). 5. We know that the verifier will accept if  r 1… r i … r n s.t P i (0) + P i (1)= v i -1modq. Since checking each assignment is polynomial this problem is in NP. We can now do a reduction from any NP problem to 3col  ZK.

26 ZK protocol for Graph non isomorphism Definition Graph non Isomorphism given two graphs G 0 =(V 0,E 0 ) and G 1 =(V 1, G 1 ). (G 0, G 1 )  GNI  there is no permutation  s.t  (u,v)  E 0  (  (u),  (v))  E 1

27 ZK protocol for Graph non isomorphism 1. The verifier chooses randomly a number i  (0,1). The verifier chooses a random permutation  and computes H =  (G i ). Then the verifier chooses randomly j  (0,1). The verifier creates the pair of graphs (H 0, H 1 ) such that: if j=0: H 0 is a permutation of G 0 H 1 is a permutation of G 1

28 ZK protocol for Graph non isomorphism if j=1: H 0 is a permutation of G 1 H 1 is apermutation of G 0 the verifier sends H and the pair (H 0, H 1 ).

29 ZK protocol for Graph non isomorphism 2. The prover chooses randomly b  (0,1). The prover sends b to the verifier. If b=0 then the verifier sends the prover the isomorphism between (G 0, G 1 ) and (H 0, H 1 ). If b=1 the verifier sends the prover the isomorphism between H and (H 0, H 1 ).

30 ZK protocol for Graph non isomorphism 3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that G b is isomorphic to H and sends b to V. If there is no such b, the prover sends a random b. 4. The verifier accepts if j=b.

31 ZK protocol for Graph non isomorphism Prover Verifier 1.Isomorphism between (G 0, G 1 ) and (H 0, H 1 ). OR 2.Isomorphism between (H 0, H 1 ) and H. Check isomorphism computes b checks that j=b 1. i  (0,1) 2.H =  (Gi) 3. H and the pair (H 0, H 1 )

32 ZK protocol for Graph non isomorphism Lemma: GNI  PZK Proof : building M* s.t { (x)} x  L  {M * (x)} x  L 1. The machine M* takes random string of bits and puts ot on a Random tape.

33 ZK protocol for Graph non isomorphism M v * does the following n times: 2. M v * waits to get H and the pair (H 0, H 1 ) from V*. 3. M v * chooses a random b. 4. M v * gets from V* the isomorphism between H and (H 0, H 1 ) and (G 0, G 1 ). M v * checks if it is not the right isomorphism it stops.

34 Otherwise:1. Returns V* to the point after H and (H 0, H 1 ) were received. 2. choose b’ again and sends to V* 3. Waits to get I’ from V* I’- isomorphism received from V*. ZK protocol for Graph non isomorphism

35 If b’  b then the M v * finds isomorphism from I and I’, from G 0,G 1 to (H 0, H 1 ) and from (H 0, H 1 ) to H. The machine uses this information to find Isomorphism from H to G 0, G 1. 4. The machine M v * uses this information to compute V* and sends it to V*. ZK protocol for Graph non isomorphism

Download ppt "Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.

A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.

IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.

1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Complexity 12-1 Complexity Andrei Bulatov Non-Deterministic Space.

Complexity 12-1 Complexity Andrei Bulatov Non-Deterministic Space.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Computability and Complexity 13-1 Computability and Complexity Andrei Bulatov The Class NP.

Computability and Complexity 13-1 Computability and Complexity Andrei Bulatov The Class NP.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Fall 2004COMP 3351 Recursively Enumerable and Recursive Languages.

Fall 2004COMP 3351 Recursively Enumerable and Recursive Languages.
Complexity and Cryptography

Complexity and Cryptography
Recursively Enumerable and Recursive Languages

Recursively Enumerable and Recursive Languages

Similar presentations

Ads by Google