1 slides by roel apfelbaum & eti ezra. enhanced by amit kagan. adapted from oded goldreich’s...
Post on 19-Dec-2015
218 views
TRANSCRIPT
![Page 1: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/1.jpg)
1
Slides by Slides by Roel ApfelbaumRoel Apfelbaum & & Eti Ezra.Eti Ezra.
Enhanced by Enhanced by Amit KaganAmit Kagan..
Adapted from Adapted from Oded Goldreich’sOded Goldreich’s course lecture course lecture notes.notes.
![Page 2: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/2.jpg)
2
NotationNotationLet A and B be a pair of ITMs (interactive TMs). <A,B>(x) is the random variable representing the (local) output of B when interacting with machine A on common input x, when the random-input to each machine is uniformly and independently chosen.
17.1
![Page 3: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/3.jpg)
3
Zero Knowledge Zero Knowledge (Definition)(Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is zero-knowledge if for every probabilistic polynomial-time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL holds
{<P,V*>(x)}xL {M*(x)}xL
Machine M* is called the simulator for the interaction of V* with P.
![Page 4: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/4.jpg)
4
Perfect Zero Perfect Zero Knowledge (Definition)Knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is perfect zero-knowledge (PZK) if for every probabilistic polynomial time ITM V* there exists a probabilistic polynomial-time machine M* s.t. for every xL the distributions {<P,V*>(x)}xL and
{M*(x)}xL are identical, i.e.,
{<P,V*>(x)}xL {M*(x)}xL
![Page 5: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/5.jpg)
5
Example Example A trivial simulator for <P,V>A trivial simulator for <P,V> Let V be a verifier that satisfies the
definition of IP - when xL, V accepts with probability close to 1, and when xL, V accepts with probability close to 0.
Let M be the simulator that always accepts.
When xL the distributions <P,V>(x) and M(x) are very close.
![Page 6: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/6.jpg)
6
Statistically close Statistically close distributions (Definition)distributions (Definition)
The distribution ensembles {Ax}xL and {Bx}xL
arestatistically close or have negligible variationdistance if for every polynomial p(•) there
exitsinteger N such that for every xL with |x| Nholds:
|Pr [Ax = ] – Pr [Bx = ]| 1/p(|x|).
![Page 7: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/7.jpg)
7
Statistical zero-knowledge Statistical zero-knowledge (Definition)(Definition)
Let (P,V) be an interactive proof system for some language L. We say that (P,V), actually P, is statistical zero knowledge (SZK) if for every probabilistic polynomial time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL
are statistically close.
![Page 8: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/8.jpg)
8
Computationally Computationally indistinguishable (Definition)indistinguishable (Definition)
Two ensembles {Ax}xL and {Bx}xL are
computationally indistinguishable if for everyprobabilistic polynomial time distinguisher D
andfor every polynomial p(•) there exists an
integerN such that for every xL with |x| N holds
|Pr [D(x,Ax) = 1] – Pr [D(x,Bx) = 1]| 1/p(|x|)
![Page 9: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/9.jpg)
9
Computational zero-Computational zero-knowledge (Definition)knowledge (Definition)
Let (P,V) be an interactive proof system for some language L. (P,V), actually P, is computational zero knowledge (CZK) if for every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial-time machine M* s.t. the ensembles {<P,V*>(x)}xL and {M*(x)}xL
are computationally indistinguishable.
![Page 10: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/10.jpg)
10
Lemma: BPP Lemma: BPP PZK PZKProof:Since LBPP, V can be set to a probabilisticpolynomial time machine that decides L. P is deterministic and never sends data to V.
Clearly <P,V> is an interactive proof system(completeness and soundness conditions
hold).(P,V) is PZK because for every V*:
{<P,V*>(x)}xL {V*(x)}xL
V* is a simulator for itself!
![Page 11: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/11.jpg)
11
Graph isomorphism is in Graph isomorphism is in Zero-KnowledgeZero-Knowledge
ISO := {(<G1>,<G2>) | G1 G2}
Construction (ZK IP for ISO): Common input:
G1 = (V1, E1), G2 = (V2, E2).
Let be an isomorphism between G1 and
G2. Suppose that |V1| = |V2| = n.
17.2
![Page 12: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/12.jpg)
12
Construction (cont.)Construction (cont.)
(P1): P selects a random permutation over V1, constructs the set F where
F := { ((u), (v)) : (u,v) E1 },
and sends H = (V1,F) to V.
(V1): V gets G’ = (V’,E’) from P. V selects R{1,2} and sends it to
P. P is supposed to answer with an isomorphism between G and G’.
![Page 13: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/13.jpg)
13
Construction (cont.)Construction (cont.)
(P2): If =1, then send = to V. Otherwise, send = -1 to V.
(V2): If is an isomorphism between G
and G’ then V outputs 1, otherwise
it outputs 0.
![Page 14: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/14.jpg)
14
Construction (diagram)Construction (diagram)
Prover Verifier
R
Sym([n])
H G1R{1,2}
If =1, send = ,
otherwise = -1
Accept iff
H = (G)
H
![Page 15: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/15.jpg)
15
An example:An example:
22
55
11
44
33
GG11
33
11
22
GG2255
44
Common input: two graphs G1 and G2.
Only P knows
.
![Page 16: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/16.jpg)
16
An example (cont.)An example (cont.)
22
55
11
44
33
GG11
55
33
44
11
22
HH
33
11
22
55
44GG22
= -1
Only P knows .
P sends H to V. V gets
and accepts.
V sends
=2 to P.
![Page 17: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/17.jpg)
17
Theorem: Graph Theorem: Graph isomorphism is in Zero-isomorphism is in Zero-KnowledgeKnowledge
Theorem 1:
The construction above is aperfect zero-knowledgeinteractive proof system(with respect to statistical closeness).
![Page 18: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/18.jpg)
18
Proof of Theorem 1Proof of Theorem 1Completeness:If G1 G2 , V always accepts.
First, G’=(G1).
If =1 then = , Hence: (G) = (G1) = (G1) = G’ .
If =2 then = -1, Hence:
(G) = -1(G2) = (G1) = G’ .
And hence V always accepts when G1 G2 .
![Page 19: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/19.jpg)
19
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Soundness:Let P* be any prover.If it sends to V a graph not isomorphic neither to G1 nor to G2, then there is no isomorphism between G and G’. Hence V rejects. W.l.o.g, if G’ G1 then P* can convince V with probability at most 1/2 (V selects {1,2} uniformly).
Hence: when G1 and G2 are non-isomorphic:Pr [<P*,V>(<G1>,<G2>) = accept] 1/2
![Page 20: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/20.jpg)
20
Zero KnowledgeZero Knowledge(Construction of a simulator)(Construction of a simulator) Let V* be any polynomial-time
verifier, and let q(•) be a polynomial bounding the running time of V*.
M* selects a string rR{0,1}q(|x|).
01100…………011r=
![Page 21: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/21.jpg)
21
Construction of a Simulator Construction of a Simulator (cont.)(cont.)
M* selects R{1,2}.
M* selects a random permutation over V.
M* constructs G’’=(G).
2=
25413
54321=
55
33
44
11
22
G’G’’’
33
11
22
55
44
GG22
Meaning:
(2)=1
![Page 22: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/22.jpg)
22
Construction of a Simulator Construction of a Simulator (cont.)(cont.) M* runs V* with the latter’s strings
set as follows:
Denote as V*‘s output.
r
x
G’’
2=
input-tape
random-tape
message-tape
If it were the case that ≠ , then the simulation would fail.
M* halts with output (x,r,G’’,).
![Page 23: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/23.jpg)
25
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Definition: Let (P,V) be an interactive proof system
for L. (P,V) is perfect zero-knowledge by view iffor every probabilistic polynomial-time verifier V* there exists a probabilistic polynomial time machine M* s.t. for every xL holds:
{view<P,V*>(x)}xL {M*(x)}xL
where view<P,V*>(x) is the final view of V* after
running <P,V*> on input x.
view = all the data a
machine possesses
![Page 24: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/24.jpg)
26
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Lemma: An interactive proof system is perfectzero-knowledge iff it is perfect zero
knowledgeby view.
Proof: Let M* satisfy: {view<P,V*>(x)}xL {M*(x)}xL
for every xL. M* has on its work-tape thefinal view of V*. Hence, it is able to performthe last step of V* and output the result. Andso the modified M*(x) is identical to <P,V*>(x).
![Page 25: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/25.jpg)
27
Proof of lemma (cont.)Proof of lemma (cont.)
Let M* satisfy: {<P,V*>(x)}xL {M*(x)}xL .
For a particular V*, let us consider a verifier
V** that behaves exactly like V*, but outputs
its whole view (at the end). There is a machine
M** s.t. {<P,V**>(x)}xL {M**(x)}xL
![Page 26: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/26.jpg)
28
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Lemma: Let x=(G1,G2)ISO. Then for every string r, graph H and permutation , it holds that:
Pr [view<P,V*>(x) = (x,r,H,)] = Pr [M*(x) = (x,r,H,) | M*(x) ]
Proof:Let m* describe M* conditioned on its not being .Define the 2 random variables: 1.v(x,r) - the last 2 elements of view(P,V*)(x)
conditioned on the second element equals r. 2. (x,r) - the same with m*(x).
![Page 27: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/27.jpg)
29
Proof of lemma (cont.)Proof of lemma (cont.)
Let v*(x,r,H) denote the message sent by V*
for a fixed r and an incoming message H.We will show that v(x,r) and (x,r) areuniformly distributed over the set:
Cx,r := {(H,): H=(Gv*(x,r,H)) }
While running the simulator we have H=(G),and only the pairs satisfying =v*(x,r,H) lead toan output. Hence:
Pr((x,r)=(H,)) = { 1/|V1|! if H=(Gv*(x,r,H)) { 0 otherwise
![Page 28: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/28.jpg)
30
Proof of lemma (cont.)Proof of lemma (cont.)
Consider v(x,r):v(x,r) = { ((G1),) if v*(x,r,(G1))=1.
{ ((G2),-1) otherwise.
For each H (which is isomorphic to G1):
Pr((x,r)=(H,)) = { 1/|V1|! if =1-v*(x,r,H)
{ 0 otherwise
Observing that H=(Gv*(x,r,H)) iff =1-v*(x,r,H)
and hence the lemma follows.
![Page 29: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/29.jpg)
31
Proof of Theorem 1 Proof of Theorem 1 (cont.)(cont.)
Corollary: view<P,V*>(x) and M*(x) are statistically close.Proof: A failure is output with probability 1/2.If the simulator returns steps P1-P2 of theconstruction |x| times and at least once at
stepP2 =, then output (x,r,G’’,). If in all |x|trials , then output rubbish.Hence, we got a statistical difference of 2-|x|,and so the corollary follows.
![Page 30: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/30.jpg)
32
Zero-Knowledge for NPZero-Knowledge for NP Reminder: NP is like IP with 1/2 round.
We can define NP-ZK as ZK with 1/2 round,but it would be equivalent to BPP:
Lemma: If L admits a zero-knowledge NP-proof system, then LBPP.
Proof: The simulator for <P,V> accepting L is a BPP machine.
17.3
![Page 31: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/31.jpg)
33
G3CG3C
Common Input: A graph1
2
3 4
5
12
3 4
5
P can paint the graph in 3 colors.
P must keep the coloring a secret.
![Page 32: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/32.jpg)
34
12
3 4
5
12
3 4
5
12
3 4
5
G3C is in Zero-G3C is in Zero-KnowledgeKnowledge
P chooses a random color permutation.
He puts all the nodes inside envelopes.
And sends them to the verifier.
Construction (ZK IP for G3C):
![Page 33: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/33.jpg)
35
G3C is in ZK (cont.)G3C is in ZK (cont.) Verifier receives a 3-colored
graph, but colors are hidden.
12
3 4
5
12
3 4
5
He chooses an edge at random.
And asks the prover to open the 2 envelopes.
![Page 34: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/34.jpg)
36
G3C is in ZK (cont.)G3C is in ZK (cont.) Prover opens the envelopes,
revealing the colors.1
2
3 4
5
12
3 Verifier accepts if the colors are different.
![Page 35: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/35.jpg)
37
Formally,Formally,
G = (V,E) is 3-colorable if there exists a mapping so that for every .
Let be a 3-coloring of G, and let be a permutation over {1,2,3} chosen randomly.
Define a random 3-coloring. Put each (v) in a box with v marked
on it. Send all the boxes to the verifier.
}3,2,1{: V )()( vu Evu ),(
))(()( vv
![Page 36: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/36.jpg)
38
Formally, (cont.)Formally, (cont.)
Verifier selects an edge at random asking to inspect the colors.
Prover sends the keys to boxes u and v.
Verifier uses the keys to open the boxes.
If he finds 2 different colors from {1,2,3} - Accept.
Otherwise - Reject.
Evue R ),(
![Page 37: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/37.jpg)
39
G3C (diagram)G3C (diagram)
(1) (n)(2)1 2 n
P V
Evue R ),(P V
Keyu , keyv
P V
![Page 38: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/38.jpg)
40
The construction is in The construction is in ZK:ZK:
Completeness:If G is 3-colorable and both P and V follow the rules, V will accept.
Soundness:Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be colored badly: (u) = (v).V will pick a bad edge with probability 1/|E|, which can be increased to 2/3 by repeating the protocol sufficiently many times.
![Page 39: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/39.jpg)
41
Zero KnowledgeZero Knowledge(Construction of a simulator)(Construction of a simulator) Let V* be any polynomial-time
verifier, and let q(•) be a polynomial bounding the running time of V*.
M* selects a string rR{0,1}q(|x|).
11010…………110r=
![Page 40: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/40.jpg)
42
Construction of a Simulator Construction of a Simulator (cont.)(cont.) M* selects e’=(u’,v’) R E. M* sends to V* boxes filled with
garbage, except for the boxes of u’ and v’, colored as follows:
c d
u’ v’
Otherwise, the simulation fails.
C R {1,2,3} d R {1,2,3}\{c}
If V* picks (u’,v’), M* sends V* their keys and the simulation is completed.
![Page 41: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/41.jpg)
43
Analysis of the Analysis of the SimulationSimulationFor every GG3C, the distribution ofm*(<G>) = M*(<G>) | (M*(<G>) ) is identical to <P,V*>(<G>).Since V* can’t tell e’ from other edges bylooking at the boxes, he picks e’ withprobability 1/|E|, which can be increasedto a constant by repeating M* sufficientlymany times.So if the boxes are perfectly sealed,G3CPZK.
![Page 42: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/42.jpg)
44
Commitment SchemeCommitment Scheme Digital implementation of a “sealed
box”. Commitment Scheme is a 2-phase
protocol satisfying: Secrecy: At the end of phase #1, R
(Receiver) can’t tell what value is being sent.
Unambiguity: Given the transcript of phase #1, there’s at most one value R may accept as legal at phase #2.
![Page 43: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/43.jpg)
45
Commitment SchemeCommitment Scheme Denote S(s,) the message S (Sender)
sends to R when committing itself to bit and his random coins are s.
Secrecy means S(s,0) and S(s,1) are computationally indistinguishable.
Unambiguity means R can’t be fooled to think S(s,0) = S(s’,1) for any s and s‘.
![Page 44: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/44.jpg)
46
Commitment SchemeCommitment Scheme Unambiguity:
Denote by r the coin tosses of R, and by View(R) everything known to R after having received m (S(s,) in this case) and tossed r. Denote by View(S) everything known to S from s and .Then for all but a negligible fraction of r‘s there’s no such m for which there are s and s‘ s.t.
View(S)=(s,0) and View(R)=(r,m)and View(S)=(s’,1) and View(R)=(r,m)
![Page 45: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/45.jpg)
47
Commitment SchemeCommitment Scheme
Construction: f:{0,1}n {0,1}n is one-way permutation.
b:{0,1}n {0,1} is its hard-core bit. S wants to send v{0,1} to R. Phase #1: S selects sR{0,1}n and sends
(f(s), b(s)v) to R, who stores them as (,) respectively.
Phase #2: S sends s as key. R calculates v = b(s), and accepts if f(s) = . Otherwise rejects.
![Page 46: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/46.jpg)
48
Commitment SchemeCommitment Scheme Proposition: This protocol is a bit
commitment scheme.
Proof: Secrecy: For every receiver R* consider
the distribution ensembles<S(0),R*>(1n) = (f(s),b(s))
and <S(1),R*>(1n) = (f(s),b(s)1)b(s) is unpredictable given f(s) and so the two ensembles are computationally indistinguishable.
![Page 47: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/47.jpg)
49
Commitment SchemeCommitment Scheme
Unambiguity follows from f being one-to-one.
![Page 48: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/48.jpg)
50
G3C+Commitment G3C+Commitment SchemeScheme
Proposition: G3C that uses bit commitment schemes instead of “magic boxes” is computational zero-knowledge.
Proof: Completeness: P can convince V by
sending the “right keys” of the commitment schemes for the colors of the vertices V selected.
17.8
![Page 49: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/49.jpg)
51
G3C + Commitment G3C + Commitment SchemeScheme Soundness: Commitment scheme
unambiguity ensures soundness is still satisfied.P may succeed to cheat V on phase #2 of commitment(in addition to the possibility that V won’t select a badly colored edge).However, this increases only by a little the probability of accepting GG3C.
![Page 50: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/50.jpg)
52
G3C + Commitment G3C + Commitment SchemeScheme Computational Zero-Knowledge:
Let M* be the simulator for V* from the previous proof.
1) Pr[M*(x)=] is still small enough.
2) The ensembles of {m*(<G>)}GG3C and {<P,V*>(<G>)}GG3C are computationally indistinguishable.
![Page 51: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/51.jpg)
53
G3C + Commitment G3C + Commitment SchemeScheme Computational Zero-Knowledge
(cont.):Namely, for every probabilistic polynomial time algorithm, A, every polynomial p(.), and every sufficiently large graph G=(V,E):
)(
1)1))(*,(Pr()1))(*(Pr(
VpGVPAGmA
![Page 52: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/52.jpg)
54
Blackbox Zero Blackbox Zero KnowledgeKnowledge
Definition: Let (P,V) be an IP for a language L. (P,V) is a blackbox zero knowledge if there exists an oracle machine M s.t. for every verifier V*:
{<P,V*>(x)}xL {<MV*(x)}xL
17.9
![Page 53: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/53.jpg)
55
Blackbox Zero Blackbox Zero KnowledgeKnowledge Theorem: (given without proof)
If there is a (P,V) with negligible error probability for language L that satisfies:
- Public coin proof system.
- Constant number of rounds.
- Blackbox zero-knowledge.
Then LBPP.
![Page 54: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/54.jpg)
56
Blackbox Zero Blackbox Zero KnowledgeKnowledge Blackbox is preserved under
sequential composition.
Blackbox is not preserved under parallel composition !!!
G3C is blackbox zero-knowledge.
![Page 55: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/55.jpg)
57
Blackbox Zero Blackbox Zero KnowledgeKnowledge G3C failure probability is 1-1/|E|,
hence it is not negligible. Error becomes negligible by
repeating G3C polynomially many timessequentially or in parallel.
Sequential repetition - number of rounds not constant.
Parallel repetition - not a blackbox.
![Page 56: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/56.jpg)
58
Blackbox Zero Blackbox Zero KnowledgeKnowledge If G3C could satisfy theorem 11,
then G3CBPP and hence NPBPP.
All known ZK systems are blackbox.
ZK for a language outside BPP should either use non-constant number of rounds or use private coin.
![Page 57: 1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d365503460f94a0e155/html5/thumbnails/57.jpg)
59
Randomness and ZKRandomness and ZK
In IP, V must be random to satisfy soundness.
In ZK, P must be random to satisfy zero-knowledge.
If L has ZK proof in which either P or V is deterministic, then LBPP.
17.10