Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 - - PowerPoint PPT Presentation

Zero-Knowledge Proofs

1

Zero-Knowledge Proofs

Lecture 15

1

Interactive Proofs

2

Interactive Proofs

2

Prover wants to convince verifier that x has some property

Interactive Proofs

2

Prover wants to convince verifier that x has some property

i.e. x is in language L

Interactive Proofs

2

x ∈ L Prover wants to convince verifier that x has some property

i.e. x is in language L

Interactive Proofs

2

x ∈ L Prover wants to convince verifier that x has some property

i.e. x is in language L

Interactive Proofs

Prove to me!

2

x ∈ L Prover wants to convince verifier that x has some property

i.e. x is in language L

Interactive Proofs

Prove to me!

2

x ∈ L Prover wants to convince verifier that x has some property

i.e. x is in language L

Interactive Proofs

Prove to me! OK

2

x ∈ L Prover wants to convince verifier that x has some property

i.e. x is in language L

All powerful prover, computationally bounded verifier (for now)

Interactive Proofs

Prove to me! OK

2

Interactive Proofs

3

Interactive Proofs

Completeness

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

x ∈ L

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

x ∈ L

yeah right!

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

x ∈ L

yeah right!

3

Interactive Proofs

Completeness

If x in L, honest Prover will convince honest Verifier

Soundness

If x not in L, honest Verifier won’t accept any purported proof

x ∈ L

yeah right! Reject!

3

An Example

4

An Example

Coke in bottle or can

4

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

4

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

4

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

Pour into from can

• r bottle

4

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

Pour into from can

• r bottle

4

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

prover tells whether cup was filled from can or bottle

Pour into from can

• r bottle

5

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

prover tells whether cup was filled from can or bottle

Pour into from can

• r bottle

can/bottle

5

An Example

Coke in bottle or can

Prover claims: coke in bottle and coke in can are different

IP protocol:

prover tells whether cup was filled from can or bottle repeat till verifier is convinced

Pour into from can

• r bottle

can/bottle

6

An Example

Graph Non-Isomorphism

Prover claims: G0 not isomorphic to G1

IP protocol:

prover tells whether G* is an isomorphism of G0 or G1 repeat till verifier is convinced

Set G* to be !(G0) or !(G1) (! random)

7

An Example

Graph Non-Isomorphism

Prover claims: G0 not isomorphic to G1

IP protocol:

prover tells whether G* is an isomorphism of G0 or G1 repeat till verifier is convinced G*

Set G* to be !(G0) or !(G1) (! random)

7

An Example

Graph Non-Isomorphism

Prover claims: G0 not isomorphic to G1

IP protocol:

prover tells whether G* is an isomorphism of G0 or G1 repeat till verifier is convinced G0/G1 G*

Set G* to be !(G0) or !(G1) (! random)

7

Prove to me!

x ∈ L

Proofs for NP languages

8

Prove to me!

x ∈ L Proving membership in an NP language L

Proofs for NP languages

8

Prove to me!

x ∈ L Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1

Proofs for NP languages

8

Prove to me!

x ∈ L Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1 IP protocol:

Proofs for NP languages

8

Prove to me!

x ∈ L Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1 IP protocol:

prover sends w (non-interactive)

Proofs for NP languages

w

w

8

Prove to me!

x ∈ L Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1 IP protocol:

prover sends w (non-interactive)

Proofs for NP languages

w

R(x,w)=1? w

8

Prove to me!

x ∈ L Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1 IP protocol:

prover sends w (non-interactive)

Proofs for NP languages

w

R(x,w)=1? OK w

8

Prove to me!

Proving membership in an NP language L x ∈ L iff ∃w R(x,w)=1 IP protocol:

prover sends w (non-interactive)

What if prover doesn’t want to reveal w?

Proofs for NP languages

x ∈ L w

R(x,w)=1? OK w

9

Zero-Knowledge Proofs

10

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

10

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

10

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

10

x ∈ L

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

w

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

w

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

wonder what f(w) is... w

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

How to formalize this?

wonder what f(w) is... w

10

x ∈ L

Prove to me!

Zero-Knowledge Proofs

Verifier should not gain any knowledge from the honest prover

except whether x is in L

How to formalize this?

Simulation!

wonder what f(w) is... w

10

An Example

11

An Example

Graph Isomorphism

11

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

11

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ

11

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

random bit b

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

random bit b

b

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ

!*

11

G* := !(G1) (random !)

An Example

Graph Isomorphism

(G0,G1) in L iff there exists an isomorphism σ such that σ(G0)=G1

IP protocol: send σ ZK protocol?

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

11

G* := !(G1) (random !)

An Example

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

If prover can answer both b’s for the same G* then G0~G1

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

If prover can answer both b’s for the same G* then G0~G1 Otherwise, testing on a random b will leave prover stuck w.p. 1/2

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

If prover can answer both b’s for the same G* then G0~G1 Otherwise, testing on a random b will leave prover stuck w.p. 1/2

Why ZK?

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

If prover can answer both b’s for the same G* then G0~G1 Otherwise, testing on a random b will leave prover stuck w.p. 1/2

Why ZK?

Verifier’s view: random b and !* s.t. G*=!*(Gb)

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

G* := !(G1) (random !)

An Example

Why is this convincing?

If prover can answer both b’s for the same G* then G0~G1 Otherwise, testing on a random b will leave prover stuck w.p. 1/2

Why ZK?

Verifier’s view: random b and !* s.t. G*=!*(Gb) Which he could have generated by himself (whether G0~G1 or not)

G*

random bit b

b

if b=1, !* := ! if b=0, !* := !oσ G*=!*(Gb)?

!*

12

Zero-Knowledge Proofs

13

Zero-Knowledge Proofs

Interactive Proof

13

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

13

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

13

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

13

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated”

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated”

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated”

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated”

x i n L

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated”

x i n L

Ah, got it! 42

13

Ah, got it! 42

Zero-Knowledge Proofs

Interactive Proof

Complete and Sound

ZK Property:

Verifier’s view could have been “simulated” For every adversarial strategy, there exists a simulation strategy

x i n L

Ah, got it! 42

13

ZK Property (in other pict’ s)

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

14

ZK Property (in other pict’ s)

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

14

ZK Property (in other pict’ s)

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

14

ZK Property (in other pict’ s)

proto proto

Env REAL

i’face

Env IDEAL

F

R

Classical definition uses simulation

• nly for corrupt receiver;

x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

14

ZK Property (in other pict’ s)

proto proto

Env REAL

i’face

Env IDEAL

F

R

Classical definition uses simulation

• nly for corrupt receiver;

and uses only standalone security: Environment gets only a transcript at the end x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

14

SIM ZK

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

15

SIM ZK

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x

• SIM-ZK would require simulation also when prover is corrupt

Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

15

SIM ZK

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x

• SIM-ZK would require simulation also when prover is corrupt
• Then simulator is a witness extractor

Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

15

SIM ZK

proto proto

Env REAL

i’face

Env IDEAL

F

R

x,w x

• SIM-ZK would require simulation also when prover is corrupt
• Then simulator is a witness extractor
• Adding this (in standalone) makes it a Proof of Knowledge

Secure (and correct) if: ∀ ∃ s.t. ∀

• utput of

is distributed identically in REAL and IDEAL x

15

Results

16

Results

IP and ZK defined [GMR’85]

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

Assuming one-way functions exist

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

Assuming one-way functions exist

ZK for all of IP [BGGHKMR’88]

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

Assuming one-way functions exist

ZK for all of IP [BGGHKMR’88]

Everything that can be proven can be proven in zero-knowledge! (Assuming OWF)

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

Assuming one-way functions exist

ZK for all of IP [BGGHKMR’88]

Everything that can be proven can be proven in zero-knowledge! (Assuming OWF)

Variants (for NP)

16

Results

IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

Assuming one-way functions exist

ZK for all of IP [BGGHKMR’88]

Everything that can be proven can be proven in zero-knowledge! (Assuming OWF)

Variants (for NP)

ZKPoK, Statistical ZK Arguments, O(1)-round ZK

16

A ZK Proof for Graph Colorability

17

A ZK Proof for Graph Colorability

G,coloring

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

G,coloring

F

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

Use random colors

G,coloring

F

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

Use random colors

G,coloring

F

c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

pick random edge Use random colors

edge G,coloring

F

c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

pick random edge Use random colors

edge G,coloring

F

reveal edge c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

pick random edge distinct colors? Use random colors

edge G,coloring

F

reveal edge c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine

A ZK Proof for Graph Colorability

pick random edge distinct colors? Use random colors

edge G,coloring OK

F

reveal edge c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine At least 1/m probability of catching a wrong proof

A ZK Proof for Graph Colorability

pick random edge distinct colors? Use random colors

edge G,coloring OK

F

reveal edge c

• m

m i t t e d

17

Uses a commitment protocol as a subroutine At least 1/m probability of catching a wrong proof Soundness amplification: Repeat say mk times (with independent color permutations)

A ZK Proof for Graph Colorability

pick random edge distinct colors? Use random colors

edge G,coloring OK

F

reveal edge c

• m

m i t t e d

17

A Commitment Protocol

18

Uses a OWP f and a hardcore predicate for it B

A Commitment Protocol

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

b

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

b

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

f(x), b ⊕ B(x) b

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

f(x), b ⊕ B(x) b committed

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

f(x), b ⊕ B(x) b committed

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

f(x), b ⊕ B(x) b committed reveal

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

random x

f(x), b ⊕ B(x) b x,b committed reveal

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

consistent? random x

f(x), b ⊕ B(x) b x,b committed reveal

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

A Commitment Protocol

consistent? random x

f(x), b ⊕ B(x) b b x,b committed reveal

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding Perfectly binding because f is a permutation

A Commitment Protocol

consistent? random x

f(x), b ⊕ B(x) b b x,b committed reveal

18

Uses a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding Perfectly binding because f is a permutation Hiding because B(x) is pseudorandom given f(x)

A Commitment Protocol

consistent? random x

f(x), b ⊕ B(x) b b x,b committed reveal

18

ZK Proofs: What for?

19

Authentication

ZK Proofs: What for?

19

Authentication

Using ZK Proof of Knowledge

ZK Proofs: What for?

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

ZK Proofs: What for?

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols

ZK Proofs: What for?

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1

Prove to me x1 is what you should have sent me now

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1

Prove to me x1 is what you should have sent me now

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1

Prove to me x1 is what you should have sent me now OK

19

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1

Prove to me x1 is what you should have sent me now OK

19

Prove y1 is what...

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1

Prove to me x1 is what you should have sent me now OK

19

Prove y1 is what...

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1

Prove to me x1 is what you should have sent me now OK

19

Prove y1 is what...

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1

Prove to me x1 is what you should have sent me now OK OK

19

Prove y1 is what...

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1 x2

Prove to me x1 is what you should have sent me now OK OK

19

Prove y1 is what...

Authentication

Using ZK Proof of Knowledge

Canonical use: As a tool in larger protocols

To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

ZK Proofs: What for?

x1 y1 x2

Prove to me x1 is what you should have sent me now Prove x2 is what... OK OK

19

Does it fit in?

x1 y1 x2

20

Does the proof stay ZK in the big picture?

Does it fit in?

x1 y1 x2

20

Does the proof stay ZK in the big picture?

Composition

Does it fit in?

x1 y1 x2

20

Does the proof stay ZK in the big picture?

Composition

Several issues: auxiliary information from previous runs, concurrency issues, malleability/man-in-the- middle

Does it fit in?

x1 y1 x2

20

Does the proof stay ZK in the big picture?

Composition

Several issues: auxiliary information from previous runs, concurrency issues, malleability/man-in-the- middle

In general, to allow composition more complicated protocols

Does it fit in?

x1 y1 x2

20

An IND-security Notion

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI)

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used A ZK proof is always WI, but not vice-versa

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used A ZK proof is always WI, but not vice-versa WI Proofs used as components inside larger protocols

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used A ZK proof is always WI, but not vice-versa WI Proofs used as components inside larger protocols Sometimes with certain other useful properties

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used A ZK proof is always WI, but not vice-versa WI Proofs used as components inside larger protocols Sometimes with certain other useful properties e.g. WI-PoK, “Sigma protocols”

21

An IND-security Notion

ZK (as opposed to SIM-ZK/ZK-PoK) weakens soundness guarantee A weakening of ZK property: Witness Indistinguishability (WI) When 2 witnesses possible, verifier can’ t tell which one was used A ZK proof is always WI, but not vice-versa WI Proofs used as components inside larger protocols Sometimes with certain other useful properties e.g. WI-PoK, “Sigma protocols” Defined in standalone setting, but WI property is preserved under some “composition” too

21

Non-Interactive ZK

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof NIZK: a trusted “common random string” (CRS) is published, and the proof/verification is w.r.t CRS

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof NIZK: a trusted “common random string” (CRS) is published, and the proof/verification is w.r.t CRS NIZK property: a simulator can simulate the CRS and the proofs

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof NIZK: a trusted “common random string” (CRS) is published, and the proof/verification is w.r.t CRS NIZK property: a simulator can simulate the CRS and the proofs Note: CRS is a part of the proof, but prover is not allowed to choose it (otherwise no soundness)

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof NIZK: a trusted “common random string” (CRS) is published, and the proof/verification is w.r.t CRS NIZK property: a simulator can simulate the CRS and the proofs Note: CRS is a part of the proof, but prover is not allowed to choose it (otherwise no soundness) NIZK schemes exist for all NP languages (using “enhanced” T-OWP)

22

Non-Interactive ZK

Can the prover just give a written proof (no interaction) which any

• ne can verify and can simulate too?

No soundness: prover can give the simulated proof NIZK: a trusted “common random string” (CRS) is published, and the proof/verification is w.r.t CRS NIZK property: a simulator can simulate the CRS and the proofs Note: CRS is a part of the proof, but prover is not allowed to choose it (otherwise no soundness) NIZK schemes exist for all NP languages (using “enhanced” T-OWP) Also can NIZK-ify some ZK protocols in the RO Model (no CRS)

22

Today

23

Today

Zero-Knowledge Proofs

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition Standalone SIM-security for corrupt verifier (ZK property). Soundness (for corrupt prover) separately

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition Standalone SIM-security for corrupt verifier (ZK property). Soundness (for corrupt prover) separately Protocols for Graph 3-colorability (and hence all NP properties) using commitment schemes (in turn using OWP)

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition Standalone SIM-security for corrupt verifier (ZK property). Soundness (for corrupt prover) separately Protocols for Graph 3-colorability (and hence all NP properties) using commitment schemes (in turn using OWP) Omitted: ZK for several specific statements

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition Standalone SIM-security for corrupt verifier (ZK property). Soundness (for corrupt prover) separately Protocols for Graph 3-colorability (and hence all NP properties) using commitment schemes (in turn using OWP) Omitted: ZK for several specific statements Useful in “enforcing” honest (but curious) behavior

23

Today

Zero-Knowledge Proofs Interactive Proofs (complete and sound), in which the verifier’ s view is simulatable given just the statement being proven Classical security definition Standalone SIM-security for corrupt verifier (ZK property). Soundness (for corrupt prover) separately Protocols for Graph 3-colorability (and hence all NP properties) using commitment schemes (in turn using OWP) Omitted: ZK for several specific statements Useful in “enforcing” honest (but curious) behavior Some variants (NIZK, WI)

23