MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276

Lecture 16 Foundations of Cryptography

Today: Non-Interactive Zero-Knowledge (NIZK) In Two Days: An Application of NIZK

NP Proofs

Proof = For the NP-complete problem of graph 3-coloring Prover P has a witness, the 3-coloring of G Verifier V checks: (a) only 3 colors are used & (b) any two vertices connected by an edge are colored differently.

Zero-Knowledge (Interactive) Proof

Commitments 𝑓 ← 𝐹 Because NP proofs reveal too much

Zero-Knowledge (Interactive) Proof

Because NP proofs reveal too much

• 1. Completeness: For every 𝐻 ∈ 3COL, V accepts P’s proof.
• 2. Soundness: For every 𝐻 ∉ 3COL and any cheating 𝑄∗, V

rejects 𝑄∗’s proof with probability ≥ 1 − neg(𝑜)

• 3. Zero Knowledge: For every cheating 𝑊∗, there is a PPT simulator

S such that for every G ∈ 3COL, S simulates the view of 𝑊∗.

TODAY: Can we make proofs non-interactive again?

Why? 1. V does not need to be online during the proof process. 2. Proofs are not ephemeral, can stay into the future.

TODAY: Can we make proofs non-interactive again?

NO!

YES, WE CAN!

Non-Interactive ZK is Impossible 𝜌

Suppose there were an NIZK proof system for 3COL.

Graph G Graph G

Step 1. When G is in 3COL, V accepts the proof 𝜌. (Completeness)

Non-Interactive ZK is Impossible

! 𝜌

Suppose there were an NIZK proof system for 3COL.

Graph G Graph G

Step 2. PPT Simulator S, given only G in 3COL, produces an indistinguishable proof " 𝜌 (Zero Knowledge). In particular, V accepts # 𝝆.

Non-Interactive ZK is Impossible " 𝜌

Suppose there were an NIZK proof system for 3COL.

Graph G Graph G

Step 3. Imagine running the Simulator S on a 𝐻 ∉ 3COL. It produces a proof " 𝜌 which the verifier still accepts! (WHY?! Because S and V are PPT. They together cannot tell if the input graph is 3COL or not)

Non-Interactive ZK is Impossible 𝜌

Suppose there were an NIZK proof system for 3COL.

Graph G Graph G

Step 4. Therefore, S is a cheating prover! Produces a proof for a 𝐻 ∉ 3COL that the verifier nevertheless accepts. Ergo, the proof system is NOT SOUND!

THE END Or, is it?

Enter: The Common Random String 𝜌

Graph G Graph G

010111000101010010 CRS

Enter: The Common Reference String 𝜌

Graph G Graph G

𝐷𝑆𝑇 ← 𝐸

(e.g., CRS = product of two primes)

NIZK in the CRS Model 𝜌

Graph G Graph G

010111000101010010 CRS

• 1. Completeness: For every 𝐻 ∈ 3COL, V accepts P’s proof.
• 2. Soundness: For every 𝐻 ∉ 3COL and any “proof” 𝜌∗,

𝑊(𝐷𝑆𝑇, 𝜌∗) accepts with probability ≤ neg(𝑜)

NIZK in the CRS Model 𝜌

Graph G Graph G

010111000101010010 CRS

• 3. Zero Knowledge: There is a PPT simulator S such that for

every G ∈ 3COL, S simulates the view of the verifier V. 𝑇(𝐻) ≈ (𝐷𝑆𝑇 ← 𝐸, 𝜌 ← 𝑄(𝐻, 𝑑𝑝𝑚𝑝𝑠𝑡))

NIZK in the CRS Model 𝜌

Graph G Graph G

010111000101010010 CRS

• 3. Zero Knowledge: There is a PPT simulator S such that for every

𝑦 ∈ L and witness 𝑥, S simulates the view of the verifier V. 𝑇(𝑦) ≈ (𝐷𝑆𝑇 ← 𝐸, 𝜌 ← 𝑄(𝑦, 𝑥))

HOW TO CONSTRUCT NIZK IN THE CRS MODEL

• 1. Blum-Feldman-Micali’88 (quadratic residuosity)
• 2. Feige-Lapidot-Shamir’90 (factoring)
• 3. Groth-Ostrovsky-Sahai’06 (bilinear maps)
• 4. Canetti-Chen-Holmgren-Lombardi-Rothblum!-Wichs’19

and Peikert-Shiehian’19 (learning with errors)

• 1. Blum-Feldman-Micali’88 (quadratic residuosity)

HOW TO CONSTRUCT NIZK IN THE CRS MODEL

Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non-residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

Quadratic Residuosity

Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑"# 𝐾𝑏𝑑$# 𝑎%

∗

{𝑦: 𝑦 𝑂 = −1} {𝑦: 𝑦 𝑂 = +1}

Quadratic Residuosity

Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑"# 𝐾𝑏𝑑$# 𝑎%

∗

{𝑦: 𝑦 𝑂 = −1} {𝑦: 𝑦 𝑂 = +1}

𝑲𝒃𝒅 divides 𝒂𝑶

∗ evenly unless N is a perfect square.

Quadratic Residuosity

Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑"# 𝐾𝑏𝑑$# 𝑎%

∗

{𝑦: 𝑦 𝑂 = −1} {𝑦: 𝑦 𝑂 = +1}

Surprising fact: Jacobi symbol (

% = ( ) ( * is

computable in poly time without knowing 𝒒 and 𝒓.

Quadratic Residuosity

Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑$# 𝑅𝑆% is the set of squares mod 𝑂 and 𝑅𝑂𝑆% is the set

• f non-squares mod 𝑂 with Jacobi symbol +1.

𝑅𝑆% 𝑅𝑂𝑆%

So: 𝑅𝑆! = {𝑦:

" # = " $ = +1}

𝑅𝑂𝑆! = {𝑦:

" # = " $ = −1}

Quadratic Residuosity

𝐾𝑏𝑑$# 𝑅𝑆% is the set of squares mod 𝑂 and 𝑅𝑂𝑆% is the set

• f non-squares mod 𝑂 with Jacobi symbol +1.

𝑅𝑆% 𝑅𝑂𝑆% Exactly half residues even if 𝑶 = 𝒒𝒋𝒓𝒌, 𝒋, 𝒌 ≥ 𝟐, 𝐨𝐩𝐮 𝐜𝐩𝐮𝐢 𝐟𝐰𝐟𝐨.

Quadratic Residuosity

𝐾𝑏𝑑$# IMPORTANT PROPERTY: If 𝑧# and 𝑧! are both in 𝑅𝑶𝑆, then their product 𝑧#𝑧! is in 𝑅𝑆. 𝑅𝑆% 𝑅𝑂𝑆% Exactly half residues even if 𝑂 = 𝑞8𝑟9, 𝑗, 𝑘 ≥ 1, not both even.

Quadratic Residuosity

𝐾𝑏𝑑$# 𝑅𝑆% 𝑅𝑂𝑆% The fraction of residues smaller if 𝑶 has three or more prime factors! IMPORTANT PROPERTY: If 𝑧# and 𝑧! are both in 𝑅𝑶𝑆, then their product 𝑧#𝑧! is in 𝑅𝑆.

Quadratic Residuosity

Let 𝑂 = 𝑞𝑟 be a product of two large primes. Quadratic Residuosity Assumption (QRA) No PPT algorithm can distinguish between a random element of 𝑅𝑆% from a random element of 𝑅𝑂𝑆% given only 𝑂.

HOW TO CONSTRUCT NIZK IN THE CRS MODEL

Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non-residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

NIZK for Quadratic Non-Residuosity

Define the NP language 𝐻𝑃𝑃𝐸 with instances (𝑶, 𝒛) where

• 𝑂 is good: has exactly two prime factors and is not a

perfect square; and

• 𝑧 ∈ 𝑅𝑂𝑆% (that is, 𝑧 has Jacobi symbol +1

but is not a square mod 𝑂) 𝐾𝑏𝑑"# 𝐾𝑏𝑑$# 𝑎%

∗

𝑅𝑆% 𝑅𝑂𝑆%

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) If 𝑶 is good and 𝒛 ∈ 𝑹𝑶𝑺𝑶: either 𝒔𝒋 is in 𝑹𝑺𝑶 or 𝒛𝒔𝒋 is in 𝑹𝑺𝑶 so I can compute 𝒔𝒋 or 𝒛𝒔𝒋. If not … I’ll be stuck!

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠

8 OR 𝑧𝑠"

Check:

• 𝑂 is not a prime power,
• 𝑂 is not a perfect square; and
• I received either a mod-N

square root of 𝑠

8 or 𝑧𝑠 8

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠

8 OR 𝑧𝑠"

Soundness (what if 𝑂 has more than 2 prime factors) No matter what 𝑧 is, for half the 𝑠

8, both 𝑠 8 and 𝑧𝑠 8 are

not quadratic residues.

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠

8 OR 𝑧𝑠"

Soundness (what if 𝑂 has more than 2 prime factors) No matter what 𝑧 is, for half the 𝑠

8, both 𝑠 8 and 𝑧𝑠 8 are

not quadratic residues.

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠

8 OR 𝑧𝑠"

Soundness (what if 𝑧 is a residue) Then, if 𝑠

8 happens to be a non-residue, both 𝑠 8 and 𝑧𝑠 8

are not quadratic residues.

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝜌8 = 𝑠

8 OR 𝑧𝑠"

(Perfect) Zero Knowledge Simulator S: First pick the proof 𝜌8 to be random in 𝑎%

∗ .

Then, reverse-engineer the CRS, letting 𝑠

8 = 𝜌8 ! or 𝑠 8 =

𝜌8

!/𝑧 randomly.

NIZK for Quadratic Non-Residuosity

𝐷𝑆𝑇 = (𝑠

#, 𝑠 !, … , 𝑠 :) ← (𝐾𝑏𝑑% $#):

(𝑂, 𝑧) (𝑂, 𝑧) CRS depends on the instance N. Not good. Soln: Let CRS be random numbers. Interpret them as elements of 𝑎%

∗ and both

the prover and verifier filter out 𝐾𝑏𝑑%

"#.

NEXT LECTURE

Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non-residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.