the 29th annual acm-icpc world finals
Post on 02-Jan-2016
46 Views
Preview:
DESCRIPTION
TRANSCRIPT
11
The 29th AnnualThe 29th AnnualACM-ICPC World Finals ACM-ICPC World Finals
1. Shanghai Jiaotong University1. Shanghai Jiaotong University
2. Moscow State University2. Moscow State University
3. St. Petersburg Institute of Fine Mechanics 3. St. Petersburg Institute of Fine Mechanics and Optics and Optics
4. University of Waterloo4. University of Waterloo……
17. St. Petersburg State University17. St. Petersburg State University
Zero Knowledge Proofs and Zero Knowledge Proofs and ProtocolsProtocols
Nikolay VyahhNikolay VyahhiiSt. Petersburg State UniversitySt. Petersburg State University
Joint Advanced Student[s] School 2005Joint Advanced Student[s] School 2005
A proof is whatever convinces me.A proof is whatever convinces me.Shimon Even, 1978Shimon Even, 1978
33
Example (graph 3-coloring)Example (graph 3-coloring)
Problem (G3C):Problem (G3C): Given a graph, color its vertices with red, Given a graph, color its vertices with red, greengreen, blue such that if any two vertices are joined by an , blue such that if any two vertices are joined by an edge then they receive different colors.edge then they receive different colors.
(13/14(13/14 )) == 0,9290,929(13/14)(13/14)1010 == 0,4770,477(13/14)(13/14)100100 == 6,047*106,047*10-4-4
(13/14)(13/14)10001000 == 6,536*106,536*10-33-33
Probability, that A can cheat (when B opened nProbability, that A can cheat (when B opened n22 edges) at edges) at most:most:
(1-1/n)(1-1/n)nn22 e e-n-n
44
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
55
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
77
IntroductionIntroduction Applications:Applications:
• authentication // user proves to system, that he authentication // user proves to system, that he is valid useris valid user
Weakness: Adversary E can prove to B, that she is A, just Weakness: Adversary E can prove to B, that she is A, just by asking A to prove it to her and simulating this by asking A to prove it to her and simulating this protocol with B.protocol with B.
• protecting against chosen message attackprotecting against chosen message attackby augmenting the ciphertext by a zero-knowledge proof by augmenting the ciphertext by a zero-knowledge proof of knowledge of the cleartext.of knowledge of the cleartext.
• non-oblivious commitment schemesnon-oblivious commitment schemes
• ……
88
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
99
Interactive Proof SystemsInteractive Proof Systems
Intuitively, what should we require from an efficient Intuitively, what should we require from an efficient theorem-proving procedure?theorem-proving procedure?
1.1. That it should be possible to “prove” a true theorem.That it should be possible to “prove” a true theorem.2.2. That it should be impossible to “prove” a false theorem.That it should be impossible to “prove” a false theorem.3.3. That communicating the “proof” should be efficient. Namely That communicating the “proof” should be efficient. Namely
regardless of how much time it takes to come up with the regardless of how much time it takes to come up with the proof, its correctness should be efficiently verified.proof, its correctness should be efficiently verified.
More formal. An More formal. An interactive Turing machineinteractive Turing machine (ITM) is a (ITM) is a Turing machine equipped with read-only input tape, a work Turing machine equipped with read-only input tape, a work tape, a random tape, one read-only and one write-only tape, a random tape, one read-only and one write-only communication tapes. The random tape contains an communication tapes. The random tape contains an infinite sequence of random bits, and can be scanned only infinite sequence of random bits, and can be scanned only from left to right.from left to right.
1010
Interactive Proof SystemsInteractive Proof Systems
Interactive Turing MachineInteractive Turing Machine
1111
Interactive ProtocolInteractive Protocol
An An interactive protocolinteractive protocol is an ordered pair of ITM’s A is an ordered pair of ITM’s A (prover) and B (verifier) such that A and B share the same (prover) and B (verifier) such that A and B share the same input tape, B’s write-only communication tape is A’s read-input tape, B’s write-only communication tape is A’s read-only communication tape and vice versa. only communication tape and vice versa.
Machine A is not computationally bounded, while B is Machine A is not computationally bounded, while B is bounded by a polynomial in the length of common input.bounded by a polynomial in the length of common input.
The two machines take turns in being active, with B being The two machines take turns in being active, with B being active first. During an active stage A(B) first perform some active first. During an active stage A(B) first perform some internal computation using its tapes; and, second, it writes internal computation using its tapes; and, second, it writes a string (for B(A)) on its write-only communication tape. a string (for B(A)) on its write-only communication tape. Then it deactivates and machine B(A) becomes active.Then it deactivates and machine B(A) becomes active.
Machine BMachine B accepts (or rejects) the input by outputting accepts (or rejects) the input by outputting “accept”“accept” (or (or “reject”“reject”) and terminating the protocol.) and terminating the protocol.
1212
Interactive ProtocolInteractive Protocol
Interactive Turing MachinesInteractive Turing Machines
1313
Interactive Proof SystemsInteractive Proof Systems An interactive protocol (A,B) is called an An interactive protocol (A,B) is called an interactive proof interactive proof
systemsystem for language L over {0,1}* if we have the for language L over {0,1}* if we have the following:following:
1.1. For each k, for sufficiently large x in L given as input to (A,B), B For each k, for sufficiently large x in L given as input to (A,B), B halts and accepts with probability at least 1-|x|halts and accepts with probability at least 1-|x|-k-k..
2.2. For each k, for sufficiently large x NOT in L, for any ITM A’, on For each k, for sufficiently large x NOT in L, for any ITM A’, on input x to (A’,B), B accepts with probability at most |x|input x to (A’,B), B accepts with probability at most |x| -k-k..
The probabilities here are taken over the readings of The probabilities here are taken over the readings of random bits of A and B.random bits of A and B.
Interactive Polynomial time (IP)Interactive Polynomial time (IP) is the class of is the class of languages for which there exists interactive proof system.languages for which there exists interactive proof system.
1414
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
1515
Zero-KnowledgeZero-Knowledge
For every polynomial time B’, the For every polynomial time B’, the distribution that B’ “sees” on all its distribution that B’ “sees” on all its tapes, when interacting with A on tapes, when interacting with A on input xinput x∈∈L, is “indistinguishable” from L, is “indistinguishable” from a distribution that can be computed a distribution that can be computed from x in polynomial time.from x in polynomial time.
1616
Example (QNR)Example (QNR)Problem (QNR): Problem (QNR): QNR = { QNR = { ((x,y) | y is quadratic nonresidue mod x }x,y) | y is quadratic nonresidue mod x }. .
There is no such z, that y = zThere is no such z, that y = z22 mod x. mod x.
So let’s try to prove with zero-knowledge for some y, that it is So let’s try to prove with zero-knowledge for some y, that it is from QNR. With prover A, verifier B, input (x,y) and |x|=n. from QNR. With prover A, verifier B, input (x,y) and |x|=n.
1.1. B begins by flipping coins to obtain random bits bB begins by flipping coins to obtain random bits b11,b,b22,…,b,…,bnn..2.2. Then B flips additional coins for obtaining random zThen B flips additional coins for obtaining random z11,z,z22…z…znn
(0<z(0<zii<x and gcd(z<x and gcd(zii,x)=1 for each z,x)=1 for each zii).).3.3. B computes wB computes w11,w,w22,…,w,…,wnn as follows: as follows:
• wwii = (z = (zii22) mod x, if b) mod x, if bii=0=0
• wwii = (z = (zii22y) mod x, otherwise, if by) mod x, otherwise, if bii=1=1
4.4. B sends wB sends w11,w,w22,…,w,…,wnn to A. to A.5.5. A computes (somehow) for each i whether or not wA computes (somehow) for each i whether or not w ii is quadratic is quadratic
residue mod x, and sends this information (cresidue mod x, and sends this information (c11,c,c22,…,c,…,cnn) to B.) to B.6.6. B checks if bB checks if bii=c=cii for every i, and if so is “convinced” that for every i, and if so is “convinced” that
(x,y)(x,y)∈∈QNR.QNR.
1818
Example (QNR)Example (QNR)
What if B were to cheat? B could begin by setting What if B were to cheat? B could begin by setting ww11=42 for example, and then behave correctly. =42 for example, and then behave correctly. So, B can compute whether or not 42 is a So, B can compute whether or not 42 is a quadratic residue x, given x and a quadratic quadratic residue x, given x and a quadratic nonresidue y. At this time it is not known how nonresidue y. At this time it is not known how compute this in polynomial time, so this proof compute this in polynomial time, so this proof system may not be zero-knowledge!system may not be zero-knowledge!
1919
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
2020
Indistinguishability of Random Indistinguishability of Random VariablesVariables
Consider families of random variables Consider families of random variables U = {U(x)}U = {U(x)}, where , where xx∈∈L, a particular subset of {0,1}*, and all random variables L, a particular subset of {0,1}*, and all random variables take values in {0,1}*.take values in {0,1}*.
Let Let U(x)U(x) and and V(x)V(x) be two families of random variables. be two families of random variables.
We want to express the fact that, when the length of x We want to express the fact that, when the length of x increases, U(x) essentially becomes increases, U(x) essentially becomes “replaceable”“replaceable” by by V(x).V(x).
So, a random sample is selected form U(x) or from V(x) and So, a random sample is selected form U(x) or from V(x) and it is handed to a it is handed to a “judge”“judge”. After studying the sample, he . After studying the sample, he proclaims, from which families our sample is.proclaims, from which families our sample is.
2121
Indistinguishability of Random Indistinguishability of Random VariablesVariables
Two families of random variables {U(x)} and {V(x)} are:Two families of random variables {U(x)} and {V(x)} are:
EqualEqual if the judge’s verdict will be meaningless even if he if the judge’s verdict will be meaningless even if he is given samples of arbitrary size and he can study them for is given samples of arbitrary size and he can study them for an arbitrary amount of time.an arbitrary amount of time.
Statically indistinguishableStatically indistinguishable if the judge’s verdict if the judge’s verdict became meaningless when he is given an infinite amount of became meaningless when he is given an infinite amount of time but only random, polynomial (in |x|) size samples to time but only random, polynomial (in |x|) size samples to work on.work on.
Computationally indistinguishableComputationally indistinguishable if the judge’s verdict if the judge’s verdict become meaningless when he is only given polynomial (|become meaningless when he is only given polynomial (|x|)-size samples and polynomial (|x|) time.x|)-size samples and polynomial (|x|) time.
2222
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
2323
Approximability of Random Approximability of Random VariablesVariables
Let M be a probabilistic Turing machine that on input x Let M be a probabilistic Turing machine that on input x always halts. We denote by always halts. We denote by M(x) M(x) the random variable that, the random variable that, for each string, which is equal to for each string, which is equal to αα, have the same , have the same probability that M on input x outputs probability that M on input x outputs αα..
U is U is perfectly approximableperfectly approximable on L if there exist a on L if there exist a probabilistic Turing machine M, running expected probabilistic Turing machine M, running expected polynomial time, such that for all xpolynomial time, such that for all x∈∈L, M(x) is equal to U(x).L, M(x) is equal to U(x).
U is U is statically (computationally) approximablestatically (computationally) approximable on L if on L if there exist a probabilistic Turing machine M, running there exist a probabilistic Turing machine M, running expected polynomial time, such that for families of random expected polynomial time, such that for families of random variables {M(x)} and {U(x)} are statically (computationally) variables {M(x)} and {U(x)} are statically (computationally) indistinguishable on L.indistinguishable on L.
2424
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
2525
Zero-KnowledgeZero-Knowledge
ITM B’ has an extra input tape H, which length is bounded ITM B’ has an extra input tape H, which length is bounded above be a polynomial in the length of x.above be a polynomial in the length of x.
When B’ interacts with A, A sees only x on its tape, whereas When B’ interacts with A, A sees only x on its tape, whereas B’ sees (x,H).B’ sees (x,H).
So H is a some knowledge about x that the cheating B’ So H is a some knowledge about x that the cheating B’ already possess. Or H can be considered as the history of already possess. Or H can be considered as the history of previous interactions that B’ is trying to use to get previous interactions that B’ is trying to use to get knowledge from A.knowledge from A.
Let Let ViewViewA,B’A,B’(x,H) be the random variables whose value is (x,H) be the random variables whose value is view of B’ (random tape, messages between parties, view of B’ (random tape, messages between parties, private tape). For convenience, we consider each view to be private tape). For convenience, we consider each view to be a string from {0,1}* of length |x|a string from {0,1}* of length |x|cc for some fixed c>0 for some fixed c>0..
2727
Zero-KnowledgeZero-Knowledge
Let L be a language and (A,B) a protocol. Let B’ be as Let L be a language and (A,B) a protocol. Let B’ be as above. We say that (A,B) is above. We say that (A,B) is perfectly (statically) perfectly (statically) (computationally) zero-knowledge(computationally) zero-knowledge on L for B’ if the on L for B’ if the family of random variables Viewfamily of random variables ViewA,BA,B is perfectly (statically) is perfectly (statically) (computationally) approximable on (computationally) approximable on
L’ = { (x,H) | xL’ = { (x,H) | x∈∈L and |H|=|x|L and |H|=|x|cc}}
We say that interactive protocol (A,B) if We say that interactive protocol (A,B) if perfectly perfectly (statically) (computationally) zero-knowledge(statically) (computationally) zero-knowledge on L if it on L if it is perfectly (statically) (computationally) zero-knowledge on is perfectly (statically) (computationally) zero-knowledge on L for all probabilistic polynomial time ITM B’. Note, that this L for all probabilistic polynomial time ITM B’. Note, that this definition only depends on A and not at all on B.definition only depends on A and not at all on B.
Usually, only computationally zero-knowledge is Usually, only computationally zero-knowledge is consideconsided.d.
2828
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
2929
Known Facts and Open ProblemsKnown Facts and Open Problems
Every language in NP has a perfect zero knowledge proof Every language in NP has a perfect zero knowledge proof (if one-way permutations exists).(if one-way permutations exists).
Every language in IP has a zero knowledge proof.Every language in IP has a zero knowledge proof.
It’s known that (obvious)It’s known that (obvious)
Goldreich’s belief is thatGoldreich’s belief is that
The relationship of PZK and SZK remains an open problem The relationship of PZK and SZK remains an open problem (with no evidence either way).(with no evidence either way).
BPP PZK SZK CZK IP
BPP PZK SZK CZK = IP
3030
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
3131
Examples (GI)Examples (GI)
Problem (GI – Graph Isomorphism):Problem (GI – Graph Isomorphism): You have You have two graphs (Gtwo graphs (G00,G,G11), are they isomorphic?), are they isomorphic?
Exercise 0: Exercise 0: Think out zero-knowledge proof for this Think out zero-knowledge proof for this problem. A knows, that Gproblem. A knows, that G00 and G and G11 are are isomorphic (and how its are) and tries to prove isomorphic (and how its are) and tries to prove this fact to B.this fact to B.
1.1. A chooses one graph (GA chooses one graph (G0 0 or Gor G11), and transform it ), and transform it to any another isomorphic one Gto any another isomorphic one G2 2 (anyhow).(anyhow).
2.2. A sends this graph GA sends this graph G22 to B. to B.3.3. B flips a coin, and sends this bit b (0 or 1) to A.B flips a coin, and sends this bit b (0 or 1) to A.4.4. A mustA must show isomorphism show isomorphism of of GG22 and G and Gb b to B, to B,
otherwise B can not accept.otherwise B can not accept.
3232
Examples (GI)Examples (GI)
IIf A cheating, she can’t f A cheating, she can’t show isomorphism show isomorphism of those two graphs with probability ½of those two graphs with probability ½. . But A can cheat with ½ probability also.But A can cheat with ½ probability also.
If B repeats this protocol n times, so A can If B repeats this protocol n times, so A can cheat with probability only cheat with probability only ½½nn=2=2-n -n (at (at most)most)..
B can’t get some additional information B can’t get some additional information from this from this interaction.interaction.
3333
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
3434
Examples (GNI)Examples (GNI)Problem (GNI - Graph NonIsomorphism):Problem (GNI - Graph NonIsomorphism): You have two You have two
graphs (Ggraphs (G00,G,G11), are they nonisomorphic?), are they nonisomorphic?
1.1. B chooses one graph (GB chooses one graph (G0 0 or Gor G11), and transform it to any ), and transform it to any another isomorphic one Ganother isomorphic one G2 2 (anyway).(anyway).
2.2. B sends this graph GB sends this graph G22 to A. to A.3.3. AA must must say, which graph was chosen by B. say, which graph was chosen by B.
IIf A cheatingf A cheating, so graphs G, so graphs G0 0 and Gand G11 are isomorphic, and she are isomorphic, and she can not say exactly, to which one Gcan not say exactly, to which one G22 is isomorphic. is isomorphic. Probability of being Probability of being caughtcaught is 1-½ is 1-½nn..
B can not get some additional information from this B can not get some additional information from this interaction.interaction.
Are you sureAre you sure in the last point?in the last point?
3535
Examples (GNI)Examples (GNI)
It is not zero-knowledge!It is not zero-knowledge!
The same situation as with QNR The same situation as with QNR earlier.earlier.
3636
Examples (GNI)Examples (GNI)
Problem (GNI - Graph NonIsomorphism):Problem (GNI - Graph NonIsomorphism): You have two You have two graphs (Ggraphs (G00,G,G11), are they nonisomorphic?), are they nonisomorphic?
We must modify verifier B, so that he’ll prove to the prover We must modify verifier B, so that he’ll prove to the prover A, that he (B) knows the answer to his query graph (i.e. he A, that he (B) knows the answer to his query graph (i.e. he knows an isomorphism to the appropriate input graph), and knows an isomorphism to the appropriate input graph), and the prover answers the query only if she is convinced of the prover answers the query only if she is convinced of this claim.this claim.
Of course, that B’s proof must be zero-knowledge.Of course, that B’s proof must be zero-knowledge.
3737
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
3838
Example (QNR)Example (QNR)
Problem (QNR): Problem (QNR): QNR = { QNR = { ((x,y) | y is quadratic nonresidue x,y) | y is quadratic nonresidue mod x }mod x }. There is no such z, that y = z. There is no such z, that y = z22 mod x. mod x.
BB picks at random integer r and one bit. picks at random integer r and one bit. • if bit=0 then B sets w = rif bit=0 then B sets w = r22 mod x, mod x,• otherwise w = rotherwise w = r22y mod x.y mod x.
B sends w to A.B sends w to A.
For some 1<=j<=m, B picks random integer rFor some 1<=j<=m, B picks random integer r j1j1,r,rj2j2 and and random bitrandom bitjj. B sets . B sets • aajj=r=r22
j1j1 mod x mod x• bbjj=yr=yr22
j2j2 mod x mod x
If bitIf bitjj=1, B sends A the ordered pair (a=1, B sends A the ordered pair (ajj,b,bjj), else (b), else (bjj,a,ajj).).
A sends B an m-long random bit vector i=iA sends B an m-long random bit vector i=i11,i,i22,…,i,…,imm..
3939
Example (QNR)Example (QNR)
B sends A the sequence v=vB sends A the sequence v=v11,v,v22,…,v,…,vmm..• if iif ijj=0 then v=0 then vj j = (r= (rj1j1,r,rj2j2))• if iif ijj=1 then=1 then
if bit=0 then vif bit=0 then vj j = rr= rrj1j1 mod x mod x else velse vj j = yrr= yrrj2j2 mod x. mod x.
The intuition behind this step is as follows: if iThe intuition behind this step is as follows: if ijj=0, then B is =0, then B is convincing A that pair was chosen correctly; if iconvincing A that pair was chosen correctly; if ijj=1 then B =1 then B is convincing that if pair was chosen correctly, then w was is convincing that if pair was chosen correctly, then w was chosen correctly.chosen correctly.
A verifies that the sequence v was properly constructed, If A verifies that the sequence v was properly constructed, If not, A sends terminate to B and halts. Otherwise. A sets not, A sends terminate to B and halts. Otherwise. A sets answer = 0 if w is a quadratic residue mod x and 1 answer = 0 if w is a quadratic residue mod x and 1 otherwise, A sends answer to B.otherwise, A sends answer to B.
4040
Example (QNR)Example (QNR)
B checks whether answer = bit. If so B continues the B checks whether answer = bit. If so B continues the protocol, otherwise B rejects and halts.protocol, otherwise B rejects and halts.
After m repetition of this protocol, if B did not reject thus After m repetition of this protocol, if B did not reject thus far, B accepts and halts.far, B accepts and halts.
Conclusion: So, we force B to prove, that he is not cheating. Conclusion: So, we force B to prove, that he is not cheating. And now he can not obtain any other information from this And now he can not obtain any other information from this protocol (only is y a quadratic nonredisue or not). => It’s a protocol (only is y a quadratic nonredisue or not). => It’s a (statically) zero-knowledge proof.(statically) zero-knowledge proof.
4141
Non-Interactive ZK ProofsNon-Interactive ZK Proofs
General Idea: Using one-way function instead of verifier B.General Idea: Using one-way function instead of verifier B.
A generates n random A generates n random numbersnumbers, and so generate, and so generatess n n different isomorphic different isomorphic ((to to initial)initial) problems problems..
A publish all this new problems.A publish all this new problems.
A uses one-way functions, to generate “random” bit string A uses one-way functions, to generate “random” bit string b from definitions of that new problems, which was b from definitions of that new problems, which was published (it’ll be like B’s random tape).published (it’ll be like B’s random tape).
If bIf bii=0 then A proves isomorphism of initial and i-th new =0 then A proves isomorphism of initial and i-th new problem, otherwise she opens solution of i-th new problem, otherwise she opens solution of i-th new problem. Then A publish this information.problem. Then A publish this information.
Anyone can verify this proof without interaction.Anyone can verify this proof without interaction.
4242
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
4343
Related papersRelated papers S. Goldwasser, S. Micali, C. Rackoff. “The knowledge S. Goldwasser, S. Micali, C. Rackoff. “The knowledge
complexity of interactive proof systems”, 1989 (1986).complexity of interactive proof systems”, 1989 (1986).
U. Fiege, A. Fiat, A. Shamir. “Zero-Knowledge Proofs of U. Fiege, A. Fiat, A. Shamir. “Zero-Knowledge Proofs of Identity”, 1988.Identity”, 1988.
B. Schneier. “Applied Cryptography”, 1996.B. Schneier. “Applied Cryptography”, 1996.
O. Goldreich. “Foundation of Cryptography”, 2001.O. Goldreich. “Foundation of Cryptography”, 2001.
4646
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
4747
ExercisesExercises
ZK proof for G3C by using a ZK proof for G3C by using a phone/email (you can’t see, what phone/email (you can’t see, what your opponent do, so you can’t your opponent do, so you can’t believe in something sometimes).believe in something sometimes).
4848
AgendaAgenda IntroductionIntroduction
Theory:Theory:• Interactive Proof Systems, Interactive ProtocolInteractive Proof Systems, Interactive Protocol• Zero-Knowledge, QNR example Zero-Knowledge, QNR example • Indistinguishability of Random Variables Indistinguishability of Random Variables • Approximability of Random VariablesApproximability of Random Variables• Zero-KnowledgeZero-Knowledge• Known Facts and Open ProblemsKnown Facts and Open Problems
Examples:Examples:• GIGI• GNIGNI• QNRQNR
Related papersRelated papers
ExercisesExercises
top related