1 / 22

Zero-Knowledge Proofs

Zero-Knowledge Proofs. Ben Hosp. Classical Proofs. A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous demonstration that a statement is true or false. Classical Proof Systems.

sauda
Télécharger la présentation

Zero-Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero-Knowledge Proofs Ben Hosp

  2. Classical Proofs • A proof is an argument for the truth or correctness of an assertion. • A classical proof is an unambiguous demonstration that a statement is true or false.

  3. Classical Proof Systems • Suppose we have a language of assertions and proofs over some finite alphabet. • Let L be the language of true assertions, that is, assertions that have proofs. • We can define a classical proof system for L as an algorithm V such that: • True assertions have proofs: if x is in L, then a proof p exists such that V(x,p) = 1. • The Completeness property. • False assertions have no proofs: if y is not in L, for all p* in the proof language, V(y,p*) = 0. • The Soundness property • For all x in the assertion language and p in the proof language, V(x,p) halts in polynomial time. • The Efficiency property.

  4. Graph Isomorphism • G = ([n],E) • Perm(G) = ([n], E’) • E’ = {(Perm(u), Perm(v)): (u,v) is in E} • If there exists G,H such that Perm(G) = H, then G and H are isomorphic and Perm is an isomorphism between G and H.

  5. Classical Proof System for Graph Isomorphism V(Graph G, Graph H, Permutation p) { if (p(G) == H) { // O(|[n]|) time return 1; // accept the proof; else { return 0; // reject the proof } }

  6. NP • A review: NP is the class of problems which can be solved with a nondeterministic-polynomial algorithm. for each i in 1…answer.size G: answer[i] = guess(i); // magically provides the // next bit of the answer if (!verify(answer, i)) // checks that answer goto G; // is correct so far in end if // polynomial time end for

  7. Classical Proofs are NP • So NP is exactly the class of languages with classical proof systems. • If we have an assertion, we can verify any proof for it in polynomial time. • The problem “Is x is in L” is in NP.

  8. What Is A Proof?

  9. What Do You Learn From A Proof? • A lot more than the truth of an assertion. • You learn enough to convince others of the truth of that assertion. • The “classical” way to prove “There exists x...” is to provide an example of x. • What if you want to prove: • “There exists x” • “I know x” • Without telling you x or (ideally) any information about x.

  10. Ali Baba’s Cave • There is a magic cave like this: • But Ali Baba knows there is a secret door here: • Ali Baba knows the cave is a loop, but no one else does.

  11. Ali Baba’s Cave • How can Ali Baba prove to you that the magic door exists? • Classical proof would give away the secret. • But Ali Baba can convince you the door exists by having you watch him go down one tunnel and come out the other. • We need a new class of proofs.

  12. Interactive Proofs • Interactive proofs are based on the interaction between a prover P with a verifier V. • P wants to prove something to the verifier. • An interaction protocol is a pair of functions mapping strings to strings. • In other words, it defines the messages P will send V and V will send P in terms of the last recieved message. • In general, P will give V some commitment, then V will randomly make some sort of challenge to P, and then reject or accept the proof based on P’s response.

  13. Probabilistic Proofs • Proofs based on interactive protocols are probabilistic. • There is generally a chance that the Verifier will reject some valid proofs or accept some invalid ones. • We can define a probalistic proof system for L as an interactive protocol (P,V) such that: • For all x in the assertion language (P,V)(x) halts in polynomial time. • The Efficiency property. • If x is in L, then (P,V)(x) accepts with probability at least a. • The Completeness property. • If y is not in L, then (P,V)(x) accepts with probability at most b. • The Soundness property • Where 1 >= a > b >= 0 • We can repeat such a proof multiple times to make the chance of false positive or negative negligible.

  14. IP • IP is the class of languages with Interactive (Probabilistic) proofs. • NP is a subset of IP • P can send V a classical proof to check • IP is thought to be a strict superset of NP

  15. Graph Non-Isomorphism • No classical proof system is known for the question of whether graphs G and H are non-isomorphic. • We can check all possible permutations of G but this takes exponential time. • Observations on this problem: • Let ICP(G) be the set of isomorphic copies of the G. • If G and H are non-isomorphic, then ICP(G) and ICP(H) are disjoint. • If G and H are isomorphic, then it is impossible to tell a random selection from ICP(G) and a random selection from ICP(H) apart. • Because ICP(G) = ICP(H)

  16. Interactive Proof System for Graph Non-Isomorphism • Suppose we have G0=([n],E0) and G1=([n],E1). • V randomly selects C = G0 or G1, and a permutation p. V sends p(C) to P. • P determines whether p(C) is an isomorphic copy of G0 or G1, and sends that back to V. • If V receives the same graph as it chose, it accepts P’s proof that G0 and G1 are non-isomorphic, otherwise it rejects. • V has demonstrated the ability to tell the difference between elements of ICP(G0) and ICP(G1).

  17. Zero-Knowledge Proofs • P is going to prove an assertion to V without giving V any information other than the truth of the assertion. • In other words, V can simulate a proof of the assertion and get something that is computationally indistinguishable from a proof V actually got from P. • V does not even learn enough to prove the assertion to another party.

  18. NP is a subset of ZP • Every language with a classical proof system has a zero-knowledge proof system. • Consider the graph 3-coloring problem: • G=([n],E), we can define C:[n]->{R,G,B} such that if (x,y) is in E, C(x) is different from C(y). • A classical proof that a graph has a 3-coloring is such a 3-coloring. • How can we prove a 3-coloring exists without revealing any information about it?

  19. Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • V randomly chooses (x,y) in E and sends it to P. • P sends Cx and Cy to V. • V rejects if Cx = Cy and accepts otherwise.

  20. Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • For each vertex v in [n], P encrypts it with a key Kv, and sends EKv(C(v)) to V. • V randomly chooses (x,y) in E and sends it to P. • P sends Kx and Ky to V. • V rejects if DKx(EKx(C(x))=DKy(EKy(C(y)), and accepts otherwise.

  21. Zero-Knowledge Proof System for Graph 3-coloring • G=([n],E). • P knows that C is a 3-coloring of G. • P randomly chooses p, a permutation of {R,G,B}. Clearly p(C) = C’ is also a 3-coloring of G. • For each vertex v in [n], P encrypts it with a key Kv, and sends EKv(C’(v)) to V. • V randomly chooses (x,y) in E and sends it to P. • P sends Kx and Ky to V. • V rejects if DKx(EKx(C’(x))=DKy(EKy(C’(y)), and accepts otherwise.

  22. Zero-Knowledge Proof System for Graph 3-coloring • Since p(C)=C’ is a proper 3-coloring of G, C’(x) will never equal C’(y) if x and y are adjacent. • If C is not a proper 3-coloring of G, C’(x) will sometimes equal C’(y) when x and y are adjacent. • We can repeat this protocol enough times to make the chance of false acceptance or rejection negligible. • V has learned whether a 3-coloring of G exists, but nothing about it. • The only information V has received from P is 2 distinct colors. • V could have generated that information on its own.

More Related