Zero Knowledge Proofs 1 Zero Knoledge proofs 20022021

Zero Knowledge Proofs 1 Zero Knoledge proofs 20/02/2021

Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties: 2 Zero Knoledge proofs 20/02/2021

Interactive proof u The verifier’s strategy is a probabilistic polynomial-time procedure. u Correctness requirements: • Completeness: There exists a prover strategy P, such that for every x L, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3. • Soundness: For every x L, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3. 3 Zero Knoledge proofs 20/02/2021

Zero Knowledge Proof Let (P, V) be an interactive proof system for some language L. We say that (P, V), actually P, is zeroknowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s. t. for every x L holds {<P, V*>(x)}x L {M*(x)}x L Machine M* is called the simulator for the interaction of V* with P. 4 Zero Knoledge proofs 20/02/2021

Perfect Zero Knowledge Definition: Let (P, V) be an interactive proof system for some language L. We say that (P, V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s. t. for every x L the distributions {<P, V*>(x)}x L and {M*(x)}x L are identical, i. e. , {<P, V*>(x)}x L {M*(x)}x L 5 Zero Knoledge proofs 20/02/2021

Statistical Zero Knowledge Definition: Let (P, V) be an interactive proof system for some language L. We say that (P, V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s. t. the ensembles {<P, V*>(x)}x L and {M*(x)}x L are statistically close. 6 Zero Knoledge proofs 20/02/2021

Statistical Zero Knowledge Definition-cont. : The distribution ensembles {Ax}x L and {Bx}x L are statistically close or have negligible variation distance if for every polynomial p( • ) there exits integer N such that for every x L with |x| N holds: |Pr [Ax = ] – Pr [Bx = ]| p(|x|)-1 7 Zero Knoledge proofs 20/02/2021

Computational Zero Knowledge Definition: Let (P, V) be an interactive proof system for some language L. (P, V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s. t. the ensembles {<P, V*>(x)}x L and {M*(x)}x L are computationally indistinguishable. 8 Zero Knoledge proofs 20/02/2021

Computational Zero Knowledge Definition: Two ensembles {Ax}x L and {Bx}x L are computationally indistinguishable if for every probabilistic polynomial time distinguisher D and for every polynomial p( • ) there exists an integer N such that for every x L with |x| N holds |Pr [D(x, Ax) = 1] – Pr [D(x, Bx) = 1]| p(|x|)-1 9 Zero Knoledge proofs 20/02/2021

Graph Isomorphism problem Definition Graph Isomorphism two graphs G 0 =(V 0, E 0) and G 1 =(V 1, G 1) are isomorphic permutation s. t (u, v) E 0 ( (u), (v)) E 1 if G 0 and G 1 are isomorphic and is an isomorphism between G 0 to G 1 we write G 1 = (G 0). 10 Zero Knoledge proofs 20/02/2021

Graph Isomorphism problem: Given Two Graphs G 1 and G 2 – Are They Isomorphic ? Lemma: GI ZK Proof: Zero Knowledge Interactive Proof for GI. 11 Zero Knoledge proofs 20/02/2021

Zero Knowledge Interactive proof for Graph Isomorphism. 1 Repeat the following n times: 2. The Prover chooses a random permutation of (1…n) and computes H= (G 1) and send it to the verifier. 3. The verifier chooses randomly i=1 or 2 and sends it to the prover. 12 Zero Knoledge proofs 20/02/2021

Zero Knowledge Interactive proof for Graph Isomorphism -cont. . 4 The prover chooses permutation s. t H = (Gi). If i=1 the prover sends to the verifier otherwise the prover will send -1. ( is the isomorphism between G 1 and G 2. 5. The verifier checks if H is the image of Gi under . 6. The verifier accepts if H is the image of Gi in all n rounds. 13 Zero Knoledge proofs 20/02/2021

Zero Knowledge Interactive proof for Graph Isomorphism-cont. Prover Verifier H= (G 1) R i=1, 2 or -1 Checks if H is the image of Gi 14 Zero Knoledge proofs 20/02/2021

Building simulator M* for graph isomorphism problem We will define simulator M* as follows: Input: (G 0, G 1) ISO 1. Randomly chooses a random string RANDOM and puts it on the Random tape of Verifier V*. 2. Randomly chooses a {0, 1} and permutation and construct H= (Ga) send H to V*. 15 Zero Knoledge proofs 20/02/2021

Building simulator M* for graph isomorphism problem. 3 Receive b from V*. If b {0, 1} then outputs {RANDOM, H, b} and STOP. If a =b then outputs {RANDOM, H, b, } and STOP; else GOTO 1. 16 Zero Knoledge proofs 20/02/2021

Zero-Knowledge Password Proofs. 1 The prover finds two large primal numbers - p and q and sends n=pq to the verifier 2. r is a random number belongs to [n, n 4]. The prover sends x 2 modn and r 2 modn to the verifier. 3. The verifier then randomly asks for r or xr and checks the prover. 17 Zero Knoledge proofs 20/02/2021

Zero-Knowledge Password Proofs Prover Verifier n=pq x 2 modn Asks for xr or r r modn 2 xr or r Checks the Prover 18 Zero Knoledge proofs 20/02/2021

NP and Zero Knowledge proofs Lemma: NP ZK Proof: 3 col ZK. 19 Zero Knoledge proofs 20/02/2021

Zero Knowledge proof for 3 col problem 1. The prover randomly chooses a permutation . Computes (c(v)), puts in envelopes and sends to the verifier. 2. The verifier chooses randomly: (u, v) E and opens the envelope. If the colors are different and legal he answers “yes”. 20 Zero Knoledge proofs 20/02/2021

Zero Knowledge proof for 3 col problem Prover Verifier permutation . (c(v)) Chooses (u, v) E envelope Checks that colors are different 21 Zero Knoledge proofs 20/02/2021

ZK protocol for Co-SAT Transform the CNF to a polynom by these transformation rules: 1. T positive value 2. F 0 3. Xi 3. Xi (1 -Xi) 4. OR + 5. AND • 22 Zero Knoledge proofs 20/02/2021

ZK protocol for Co-SAT The protocol: 1. The prover selects a prime number q > 2 n • 3 m and sends to the verifier. 2. The verifier checks that q is prime. If q isn’t prime halts and rejects. 23 Zero Knoledge proofs 20/02/2021

ZK protocol for Co-SAT 3. V 0 is at the initialized at value zero. The prover does the following for i=1…n. The prover computes polynom Pi that it’s rank is at most m. The construction of Pi : P 1(x)= x =0, 1…. x p(x 1 … xn) P 2(x)= x =0, 1…. x p(r 1, x, x 3 … xn) Pn(x)= p(r 1, . . . Rn-1, xn ) the prover puts polynom Pi in envelopes and send to the verifier. n n 24 n=0, 1 Zero Knoledge proofs 20/02/2021

ZK protocol for Co-SAT 4. The prover moves to the next stage(i=i+1). 5. We know that the verifier will accept if r 1… ri … rn s. t Pi(0) + Pi(1)= vi -1 modq. Since checking each assignment is polynomial this problem is in NP. We can now do a reduction from any NP problem to 3 col ZK. 25 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism Definition Graph non Isomorphism given two graphs G 0 =(V 0, E 0) and G 1 =(V 1, G 1). (G 0, G 1 ) GNI there is no permutation s. t (u, v) E 0 ( (u), (v)) E 1 26 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism 1. The verifier chooses randomly a number i (0, 1). The verifier chooses a random permutation and computes H = (Gi). Then the verifier chooses randomly j (0, 1). The verifier creates the pair of graphs (H 0, H 1) such that: if j=0: H 0 is a permutation of G 0 H 1 is a permutation of G 1 27 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism if j=1: H 0 is a permutation of G 1 H 1 is apermutation of G 0 the verifier sends H and the pair (H 0, H 1). 28 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism 2. The prover chooses randomly b (0, 1). The prover sends b to the verifier. If b=0 then the verifier sends the prover the isomorphism between (G 0, G 1) and (H 0, H 1). If b=1 the verifier sends the prover the isomorphism between H and (H 0, H 1). 29 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism 3. The prover checks that the right isomorphism is sent otherwise it stops. the prover computes b such that Gb is isomorphic to H and sends b to V. If there is no such b , the prover sends a random b. 4. The verifier accepts if j=b. 30 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism Prover Verifier 1. i (0, 1) 2. H = (Gi) 1. Isomorphism between (G 0, G 1) and (H 0, H 1). OR 2. Isomorphism between (H 0, H 1) and H. 3. H and the pair (H 0, H 1) Check isomorphism computes b 31 checks that j=b Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism Lemma: GNI PZK Proof : building M* s. t {<P, V*>(x)}x L {M*(x)}x L 1. The machine M* takes random string of bits and puts ot on a Random tape. 32 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism Mv* does the following n times: 2. Mv* waits to get H and the pair (H 0, H 1) from V*. 3. Mv* chooses a random b. 4. Mv* gets from V* the isomorphism between H and (H 0, H 1) and (G 0, G 1). Mv* checks if it is not the right isomorphism it stops. 33 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism Otherwise: 1. Returns V* to the point after H and (H 0, H 1) were received. 2. choose b’ again and sends to V* 3. Waits to get I’ from V* I’- isomorphism received from V*. 34 Zero Knoledge proofs 20/02/2021

ZK protocol for Graph non isomorphism If b’ b then the Mv* finds isomorphism from I and I’, from G 0, G 1 to (H 0, H 1) and from (H 0, H 1) to H. The machine uses this information to find Isomorphism from H to G 0 , G 1. 4. The machine Mv* uses this information to compute V* and sends it to V*. 35 Zero Knoledge proofs 20/02/2021