References Zero Knowledge Proofs on Wikipedia, Zero Knowledge - PowerPoint PPT Presentation

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim Royer zero-knowledge-proofs-illustrated-primer/ Part II: https://blog.cryptographyengineering.com/2017/01/21/ Introduction to Cryptography zero-knowledge-proofs-an-illustrated-primer-part-2/ A Gentle Introduction to Zero-Knowledge Proofs with Applications to Cryptography by November 6, 2018 A. Mohr http://www.austinmohr.com/work/files/zkp.pdf 1 / 1 2 / 1 Zero Knowledge Proofs, the Parties Zero Knowledge Proofs, the Framework Challenge–Response Protocol Interactive Proof Systems ≡ Pat — very smart, not to be trusted Prover Start ≡ Vanna — average smart, has a fair coin Verifier Pat claims x is a yes-instance. Pat’s Goals Completeness Wants to prove to Vanna that he knows a solution to an If x is a yes-instance, then Vanna will always accept Pat’s proof. instance of some yes/no problem. (He may be lying.) But he does not want to give the solution away. Soundness Vanna’s Goals � � If x is a no-instance, then Prob Vanna accepts is small. If Pat is truthful, she wants to be convinced. If Pat is lying, she wants to catch him (with high probability). Zero Knowledge Not yet. 3 / 1 4 / 1

Example: The Cave of Ali Baba, Setup Example: The Cave of Ali Baba, Protocol P and V agree to the following protocol (which is repeated n -times): Pat and Vanna. Pat wants to convince Vanna The Cave. There is a cave that splits into two that he knows the magic word. But Pat 3. Pat exits the passage that Vanna called passages (A and B) that meet again on either 1. Pat enters the cave, chooses A or B, and doesn’t want Vanna to learn the word (at least, out (using the magic word if he needs to side of a magic door that opens if you speak takes that passage to the magic door. not for free). switch passages). the magic word. 2. Vanna enters the cave, walks to the A/B 4. Vanna verifies that Pat exits the correct split, and calls out a passage (A or B). passage. 5 / 1 6 / 1 Example: The Cave of Ali Baba, Analysis Recall: Zero Knowledge Proofs Challenge–Response Protocol Pat (the prover) very smart, not-trusted Start Vanna (the verifier) Pat claims x is a yes-instance. average smart, has a fair coin Completeness Pat’s Goals If x really is a yes-instance, Wants to prove to Vanna that he knows a then Vanna will accept Pat’s proof. solution to an instance of some yes/no problem without giving away the secret. (He Soundness (Continued) Soundness (Concluded) may be lying.) Soundness Completeness • To meet a challenge, Pat • Prob[Pat meets a challenge] • If Pat knows the magic If x really is a no-instance, = 1 needs to guess Vanna’s 2 . Vanna’s Goals word, he can always meet then Prob [ Vanna accepts ] is small. choice. Vanna’s challenge. If Pat is truthful, she wants to be convinced. • Prob[Pat meets n Soundness • Suppose Vanna flips a fair If Pat is lying, she wants to catch him (with Zero Knowledge challenges] = 1 2 n . • Suppose Pat doesn’t know coin to choose. high probability). Not yet. the magic word. 7 / 1 8 / 1

Example: Graph Nonisomorphism Aside: The Complexity of Graph Isomorphism Problem: Graph Isomorphism Given: G 1 = ( V 1 , E 1 ) and G 2 = ( V 2 , E 2 ) where V 1 = V 2 = { 1, . . . , n } for some n . ∼ 1-1, onto = Question: ∃ π : V 1 − − − − → V 2 ∋{ u , v } ∈ E 1 ⇐ ⇒ { π ( u ) , π ( v ) } ∈ E 2 Problem: Graph nonisomorphism Given: G 1 = ( V 1 , E 1 ) and G 2 = ( V 2 , E 2 ) as above. 1-1, onto Question: �∃ π : V 1 − − − − → V 2 as above. Theorem 1 (Babai 2017). ❦ ❦ ❦ ❦ ❦ ❦ 4 3 4 3 3 2 � Graph Isomorphism is solvable in quasipolynomial time, i.e., time-O ( 2 ( log 2 s ) k ) for some k > 0 , � ❦ ❦ ❦ ❦ ❦ ❦ 1 2 1 2 4 1 where s is the size of the graphs. G 1 G 2 G 3 See https://www.quantamagazine.org/graph-isomorphism-vanquished-again-20170114/ 9 / 1 10 / 1 A Protocol for Graph Nonisomorphism Perfect Zero Knowledge Proofs: Back to the Cave • Same setup as IP, but Pat wants proofs to reveal nothing about the secret. Pat claims G 1 �∼ Input G 1 , G 2 = G 2 Repeat n times ran ∈ { 1, 2 } and Vanna Flips her coin to determine: (i) i (ii) π , a random permutation of { 1, . . . , n } . Private Computes H = π ( G i ) and sends H to Pat. (* The challenge *) Pat Determines a j ∈ { 1, 2 } with G j isomorphic to H . Sends j to Vanna. Checks whether i = j . If i � = j , REJECTS . Vanna End repeat Vanna ACCEPTS Q: Can an observer tell the Completeness Soundness A Faked Protocol Run difference between If Pat is lying (so G 1 ∼ Vanna does her coin flips = G 2 ): If Pat is truthful: Suppose an observer knows • a true protocol run vs. ahead of time and tells Pat. everything Vanna does and Prob [ Pat meets one challenge ] = 1 • a faked protocol run ? Pat can always meet Vanna’s 2 . Then Pat can meet all sees except her flips of coins . challenges. challenges without knowing Prob [ Pat meets n challenges ] = 1 If not , perfect and fake runs 2 n . the magic word. carry the same info. 11 / 1 12 / 1

Perfect Zero Knowledge Proofs Perfect Zero Knowledge Proofs Zero Knowledge Protocols • Same setup as IP, except Pat wants proofs to reveal no info on the secret. A Perfect Zero-Knowledge Proof for Graph Isomorphism 2018-11-06 Zero Knowledge Proofs Input G 1 = ( { 1, . . . , n } , E 1 ) and G 2 = ( { 1, . . . , n } , E 2 ) . Pat claims G 1 ∼ // If correct, let σ : G 2 ∼ = G 2 = G 1 . So σ ( G 2 ) = G 1 . Repeat n times: Pat Chooses a random permutation π of { 1, . . . , n } . Computes H = π ( G 1 ) and sends H to Vanna. ran • Same setup as IP, except Pat wants proofs to reveal no info on the secret. ∈ { 1, 2 } and sends i to Pat. Vanna Chooses i Pat If i = 1 then Pat sets ρ ← π // So H = ρ ( G 1 ) . else Pat sets ρ ← π ◦ σ . // So H = ρ ( G 2 ) . Perfect Zero Knowledge Proofs Sends ρ to Vanna. Vanna Checks that H = ρ ( G i ) . If not, REJECT . End repeat A Perfect Zero-Knowledge Proof for Graph Isomorphism Vanna ACCEPTS Completeness, Soundness, ZK: On board Input G 1 = ( { 1, . . . , n } , E 1 ) and G 2 = ( { 1, . . . , n } , E 2 ) . Completeness: Pat claims G 1 ∼ // If correct, let σ : G 2 ∼ = G 2 = G 1 . So σ ( G 2 ) = G 1 . Thus: G 1 ∼ • Suppose Pat tells the truth. = G 2 . Repeat n times: Chooses a random permutation π of { 1, . . . , n } . Pat ∴ No matter if i = 1, 2, H = ρ ( G i ) . Computes H = π ( G 1 ) and sends H to Vanna. Soundness: ran Vanna Chooses i ∈ { 1, 2 } and sends i to Pat. Thus: G 1 �∼ • Suppose Pat lies. = G 2 . Pat If i = 1 then Pat sets ρ ← π // So H = ρ ( G 1 ) . else Pat sets ρ ← π ◦ σ . // So H = ρ ( G 2 ) . • Pat cannot predict whether i = 1 or i = 2. Sends ρ to Vanna. Vanna Checks that H = ρ ( G i ) . ∴ He has a 50% chance of being wrong (and caught!) If not, REJECT . 2 ) n → 0 fast! • ( 1 End repeat Vanna ACCEPTS Completeness, Soundness, ZK: On board ZK: . . . 13 / 1 Towards Formalizing ZKP, I Towards Formalizing ZKP, II Definition 2 (Goldwasser, Micali, and Rackoff — Cook). Transcript: T = [( G 1 , G 2 ) , ( H 1 , i 1 , ρ 1 ) , . . . , ( H n , i n , ρ n )] Suppose we have ( G 1 , G 2 ) and all messages between Pat and Vanna an interactive protocol for a problem Π , and A forgery algorithm for the Graph Isomorphism Protocol for G 1 and G 2 a polytime simulation S to produce forgeries. n ← the number of vertices of G 1 (and G 2 ) T ← [( G 1 , G 2 )] For x ∈ the yes-instances of Π , define: For j ← 1 to n do: ran True ( x ) = set of all possible legal transcript for x . Choose i j ∈ { 1, 2 } and ρ j , a random permutation of { 1, . . . , n } Compute H j = ρ j ( G i j ) and set T ← T || [( H j , i j , ρ j )] || = string concat. Forged ( x ) = set of all possible forgeries from S for x . Return T Prob True ( T , x ) = Prob [ T ∈ True ( x )] . Prob Forged ( T , x ) = Prob [ T ∈ Forged ( x )] . Informally, no one can tell a forged transcript from the real thing. The interactive protocol is said to be perfect zero knowledge for Vanna when: Formally ... ( ∀ x , T )[ True ( x ) = Forged ( x ) & Prob True ( T , x ) = Prob Forged ( T , x ) ] . 14 / 1 15 / 1