MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 16

Today: Non-Interactive Zero-Knowledge (NIZK) In Two Days: An Application of NIZK

NP Proofs For the NP-complete problem of graph 3-coloring Proof = Verifier V checks: (a) only 3 colors are used & Prover P has a witness, (b) any two vertices the 3-coloring of G connected by an edge are colored differently.

Zero-Knowledge (Interactive) Proof Because NP proofs reveal too much Commitments 𝑓 ← 𝐹

Zero-Knowledge (Interactive) Proof Because NP proofs reveal too much 1. Completeness: For every 𝐻 ∈ 3COL, V accepts P’s proof. 2. Soundness: For every 𝐻 ∉ 3COL and any cheating 𝑄 ∗ , V rejects 𝑄 ∗ ’s proof with probability ≥ 1 − neg(𝑜) 3. Zero Knowledge: For every cheating 𝑊 ∗ , there is a PPT simulator S such that for every G ∈ 3COL, S simulates the view of 𝑊 ∗ .

TODAY: Can we make proofs non-interactive again? Why? 1. V does not need to be online during the proof process. 2. Proofs are not ephemeral, can stay into the future.

TODAY: Can we make proofs non-interactive again? NO! YES, WE CAN!

Non-Interactive ZK is Impossible Suppose there were an NIZK proof system for 3COL. Graph G Graph G 𝜌 Step 1. When G is in 3COL, V accepts the proof 𝜌 . (Completeness)

Non-Interactive ZK is Impossible Suppose there were an NIZK proof system for 3COL. Graph G Graph G 𝜌 ! Step 2. PPT Simulator S, given only G in 3COL , produces an indistinguishable proof " 𝜌 (Zero Knowledge). In particular, V accepts # 𝝆 .

Non-Interactive ZK is Impossible Suppose there were an NIZK proof system for 3COL. Graph G Graph G 𝜌 " Step 3. Imagine running the Simulator S on a 𝐻 ∉ 3COL. It produces a proof " 𝜌 which the verifier still accepts! (WHY?! Because S and V are PPT. They together cannot tell if the input graph is 3COL or not)

Non-Interactive ZK is Impossible Suppose there were an NIZK proof system for 3COL. Graph G Graph G 𝜌 Step 4. Therefore, S is a cheating prover! Produces a proof for a 𝐻 ∉ 3COL that the verifier nevertheless accepts. Ergo, the proof system is NOT SOUND!

THE END Or, is it?

Enter: The Common Random String CRS 010111000101010010 Graph G Graph G 𝜌

Enter: The Common Reference String 𝐷𝑆𝑇 ← 𝐸 (e.g., CRS = product of two primes) Graph G Graph G 𝜌

NIZK in the CRS Model CRS 010111000101010010 Graph G Graph G 𝜌 1. Completeness: For every 𝐻 ∈ 3COL, V accepts P’s proof. 2. Soundness: For every 𝐻 ∉ 3COL and any “proof” 𝜌 ∗ , 𝑊(𝐷𝑆𝑇, 𝜌 ∗ ) accepts with probability ≤ neg(𝑜)

NIZK in the CRS Model CRS 010111000101010010 Graph G Graph G 𝜌 3. Zero Knowledge: There is a PPT simulator S such that for every G ∈ 3COL, S simulates the view of the verifier V. 𝑇(𝐻) ≈ (𝐷𝑆𝑇 ← 𝐸, 𝜌 ← 𝑄(𝐻, 𝑑𝑝𝑚𝑝𝑠𝑡))

NIZK in the CRS Model CRS 010111000101010010 Graph G Graph G 𝜌 3. Zero Knowledge: There is a PPT simulator S such that for every 𝑦 ∈ L and witness 𝑥 , S simulates the view of the verifier V. 𝑇(𝑦) ≈ (𝐷𝑆𝑇 ← 𝐸, 𝜌 ← 𝑄(𝑦, 𝑥))

HOW TO CONSTRUCT NIZK IN THE CRS MODEL 1. Blum-Feldman-Micali’88 (quadratic residuosity) 1. Blum-Feldman-Micali’88 (quadratic residuosity) 2. Feige-Lapidot-Shamir’90 (factoring) 3. Groth-Ostrovsky-Sahai’06 (bilinear maps) 4. Canetti-Chen-Holmgren-Lombardi-Rothblu m ! -Wichs’19 and Peikert-Shiehian’19 (learning with errors)

HOW TO CONSTRUCT NIZK IN THE CRS MODEL Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non -residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

Quadratic Residuosity Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ 𝑎 % 𝐾𝑏𝑑 $# 𝐾𝑏𝑑 "# {𝑦: 𝑦 {𝑦: 𝑦 𝑂 = +1} 𝑂 = −1}

Quadratic Residuosity Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ 𝑎 % 𝐾𝑏𝑑 $# 𝐾𝑏𝑑 "# {𝑦: 𝑦 {𝑦: 𝑦 𝑂 = +1} 𝑂 = −1} ∗ evenly unless N is a perfect square. 𝑲𝒃𝒅 divides 𝒂 𝑶

Quadratic Residuosity Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ 𝑎 % 𝐾𝑏𝑑 $# 𝐾𝑏𝑑 "# {𝑦: 𝑦 {𝑦: 𝑦 𝑂 = +1} 𝑂 = −1} Surprising fact : Jacobi symbol ( % = ( ( * is ) computable in poly time without knowing 𝒒 and 𝒓 .

Quadratic Residuosity Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑 $# " " 𝑅𝑆 % So: 𝑅𝑆 ! = {𝑦: # = $ = +1} 𝑅𝑂𝑆 % " " 𝑅𝑂𝑆 ! = {𝑦: # = $ = −1} 𝑅𝑆 % is the set of squares mod 𝑂 and 𝑅𝑂𝑆 % is the set of non-squares mod 𝑂 with Jacobi symbol +1.

Quadratic Residuosity Exactly half residues even if 𝑶 = 𝒒 𝒋 𝒓 𝒌 , 𝒋, 𝒌 ≥ 𝟐, 𝐨𝐩𝐮 𝐜𝐩𝐮𝐢 𝐟𝐰𝐟𝐨. 𝐾𝑏𝑑 $# 𝑅𝑆 % 𝑅𝑂𝑆 % 𝑅𝑆 % is the set of squares mod 𝑂 and 𝑅𝑂𝑆 % is the set of non-squares mod 𝑂 with Jacobi symbol +1.

Quadratic Residuosity Exactly half residues even if 𝑂 = 𝑞 8 𝑟 9 , 𝑗, 𝑘 ≥ 1, not both even. 𝐾𝑏𝑑 $# 𝑅𝑆 % 𝑅𝑂𝑆 % IMPORTANT PROPERTY : If 𝑧 # and 𝑧 ! are both in 𝑅𝑶𝑆 , then their product 𝑧 # 𝑧 ! is in 𝑅𝑆 .

Quadratic Residuosity The fraction of residues smaller if 𝑶 has three or more prime factors! 𝐾𝑏𝑑 $# 𝑅𝑆 % 𝑅𝑂𝑆 % IMPORTANT PROPERTY : If 𝑧 # and 𝑧 ! are both in 𝑅𝑶𝑆 , then their product 𝑧 # 𝑧 ! is in 𝑅𝑆 .

Quadratic Residuosity Let 𝑂 = 𝑞𝑟 be a product of two large primes. Quadratic Residuosity Assumption (QRA) No PPT algorithm can distinguish between a random element of 𝑅𝑆 % from a random element of 𝑅𝑂𝑆 % given only 𝑂 .

HOW TO CONSTRUCT NIZK IN THE CRS MODEL Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non -residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

NIZK for Quadratic Non-Residuosity Define the NP language 𝐻𝑃𝑃𝐸 with instances (𝑶, 𝒛) where 𝑂 is good: has exactly two prime factors and is not a • perfect square; and 𝑧 ∈ 𝑅𝑂𝑆 % (that is, 𝑧 has Jacobi symbol +1 • but is not a square mod 𝑂 ) ∗ 𝑎 % 𝑅𝑆 % 𝐾𝑏𝑑 $# 𝐾𝑏𝑑 "# 𝑅𝑂𝑆 %

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) If 𝑶 is good and 𝒛 ∈ 𝑹𝑶𝑺 𝑶 : either 𝒔 𝒋 is in 𝑹𝑺 𝑶 or 𝒛𝒔 𝒋 is in 𝑹𝑺 𝑶 so I can compute 𝒔 𝒋 or 𝒛𝒔 𝒋 . If not … I’ll be stuck!

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠 8 OR 𝑧𝑠 " Check: 𝑂 is not a prime power, • 𝑂 is not a perfect square; and • I received either a mod-N • square root of 𝑠 8 or 𝑧𝑠 8

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠 8 OR 𝑧𝑠 " Soundness (what if 𝑂 has more than 2 prime factors) No matter what 𝑧 is, for half the 𝑠 8 , both 𝑠 8 and 𝑧𝑠 8 are not quadratic residues.

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠 8 OR 𝑧𝑠 " Soundness (what if 𝑂 has more than 2 prime factors) No matter what 𝑧 is, for half the 𝑠 8 , both 𝑠 8 and 𝑧𝑠 8 are not quadratic residues.

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝑠 8 OR 𝑧𝑠 " Soundness (what if 𝑧 is a residue) Then, if 𝑠 8 happens to be a non-residue, both 𝑠 8 and 𝑧𝑠 8 are not quadratic residues.

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) ∀𝑗: 𝜌 8 = 𝑠 8 OR 𝑧𝑠 " (Perfect) Zero Knowledge Simulator S: ∗ . First pick the proof 𝜌 8 to be random in 𝑎 % ! or 𝑠 Then, reverse-engineer the CRS, letting 𝑠 8 = 𝜌 8 8 = ! /𝑧 randomly. 𝜌 8

NIZK for Quadratic Non-Residuosity $# ) : 𝐷𝑆𝑇 = (𝑠 # , 𝑠 ! , … , 𝑠 : ) ← (𝐾𝑏𝑑 % (𝑂, 𝑧) (𝑂, 𝑧) CRS depends on the instance N. Not good. Soln: Let CRS be random numbers. ∗ and both Interpret them as elements of 𝑎 % "# . the prover and verifier filter out 𝐾𝑏𝑑 %

NEXT LECTURE Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non -residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.