l20 nov zero-knowledge proofs

Size: px

Start display at page:

Download "l20 nov zero-knowledge proofs"

Kristopher Gilmore
5 years ago
Views:

1 l0 nov 00 zero-knowledge proofs

2 what properties should an interactive proof system have?

3 Alice Bob if c= o.w.

4 quadratic equations prove that equation has a solution without revealing the solution! Alice Bob t c s check

5 completeness if a statement is true, then the prover should always be able to convince the verifier that it is so. what does it mean to be true? language is a set of strings x is true relative to if

6 completeness for a language L, and for all interaction with V accepting the proof

7 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof

8 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof

9 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof

10 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so.

11 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so. for a language L, and for all

12 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so. for a language L, and for all Pr[ ] where is a negligible function

13 Alice Bob

14 Alice Bob check

15 Alice Bob check if yes, send it is true

16 Alice Bob check if yes, send if no, send it is true it is not true

17 Alice Bob check if yes, send if no, send it is true it is not true ok.

18 Alice Bob check if yes, send if no, send it is true it is not true ok. for a language L, and for all Pr[ ] where is a negligible function

19 soundness if a statement is false, then no prover should ever be able to convince the verifier that it is so. for a language L, and for all Pr[ ] where is a negligible function

20 interactive protocols are powerful

21 can you prove that this equation has no solutions:

22 prove this equation has no solutions Alice Bob t if t is a square if not send s=0 send s= accept if s=b

23 prove this equation has no solutions if there are no solutions, then challenges are b= b=0

24 prove this equation has no solutions if there are solutions, then challenges are b= b=0 prover is caught / time

25 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b but is the protocol zero-knowledge?

26 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks.

27 verifier s view by interacting with the prover, the verifier was convinced the statement was true but the proof itself... verifier could have generated them himself!

28 verifier s view how to generate a transcript of a proof: first pick c then pick then set output

29 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks. there exists a p.p.t. machine S s.t. for all honest verifier zero-knowledge

30 is honest-v zk ok? Alice Bob if c= if c= otherwise

31 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks. for all verifiers V* there exists a p.p.t. machine S O s.t. for all

32 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b so is this protocol zero-knowledge?

33 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b so is this protocol zero-knowledge? NO. but can be fixed in two ways...

34 graph iso quadratic equations lets build a zk proof for more general problems.

35 -coloring of a graph np-complete

36 -coloring of a graph np-complete

37 zk-proof of -colorability lice Bob

38 zk-proof of -colorability lice Bob

39 zk-proof of -colorability lice Bob pick a color perm

40 zk-proof of -colorability lice Bob pick a color perm color the graph with new perm

41 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes

42 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes

43 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes pick a random edge

44 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes reveals chosen edge pick a random edge

45 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes reveals chosen edge pick a random edge check colors

46 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge completeness?

47 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness?

48 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness?

49 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times

50 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times

51 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times

52 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge zero-knowledge?

53 simulator for -col Bob* S(G)

54 simulator for -col Bob* S(G)

55 simulator for -col Bob* S(G) color a random edge e

56 simulator for -col Bob* S(G) color a random edge e place cups over nodes

57 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c

58 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e

59 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat

60 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr

61 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr

62 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr expected # iterations: m

63 sudoko puzzle before i start, can you prove that it has a solution?

64 sudoko puzzle before i start, can you prove that it has a solution? YES. sudoko is in NP!

65 sudoko puzzle before i start, can you prove that it has a solution? YES. sudoko is in NP! YES. there is even an efficient way.

66 sudoko puzzle 9 9 9

67 sudoko puzzle

68 sudoko puzzle

69 sudoko puzzle

70 sudoko puzzle

71 sudoko puzzle

72 sudoko puzzle shuffle

73 sudoko puzzle check each pile has all 9

74 sudoko puzzle do the same for the rows and each sub-square

75 how to make this protocol internet-ready? what function did the cups play? (binding) (hiding) prover could not change color verifier could not see color

76 commitment schemes Sender Receiver sender commits to a bit sender cannot change her mind receiver cannot learn the bit sender can open commitment

77 commitment schemes two protocols: commit() open() Sender c Receiver open Sender b,s Receiver

Lecture 10, Zero Knowledge Proofs, Secure Computation

CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last