Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir - - PowerPoint PPT Presentation

▶

Feb 28, 2024 296 likes •418 views

The People Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards I Prover (Peggy) Verifier (Vic) S Secret Decision d { true , false } A zero-knowledge protocol allows Peggy to Convince Vic that

SLIDE 1

Mihir Bellare, UCSD

Zero-Knowledge Protocols

A B

Mihir Bellare, UCSD

The People

Mihir Bellare, UCSD

The Awards

Mihir Bellare, UCSD

A zero-knowledge protocol allows Peggy to

Convince Vic that her claim is true and that she knows S
Without revealing anything beyond that

Prover (Peggy) Verifier (Vic) Claim Secret I S Decision d ∈ {true, false}

Peggy Vic Claim I Secret S Student Another student I know how to solve the homework problem Peggy’s solution An Internet user A server I have a valid password the password Mathematician The Clay Institute I have a proof that P is not equal to NP The proof

SLIDE 2

Mihir Bellare, UCSD

A zero-knowledge protocol allows Peggy to

Convince Vic that her claim is true
Without revealing anything beyond that

Claim Secret I S Decision d ∈ {true, false} Prover (Peggy) Verifier (Vic)

Peggy Vic Claim I Secret S Student Another student I know how to solve the homework problem Peggy’s solution An Internet user A server I have a valid password the password Mathematician The Clay Institute I have a proof that P is not equal to NP The proof

Mihir Bellare, UCSD

This story is used to explain zero-knowledge in many places. Including Wikipedia. But it doesn’t make a lot of sense. We will use Joseph Jaeger’s variant.

Ali-Baba’s Zero-Knowledge Protocol

Mihir Bellare, UCSD

A B Peggy goes to A Vic goes to E C ←$ {A, B} “Peggy, please appear at C” MW[A, B] = Magic Words opening the A → B portal MW[B, A] = Magic Words opening the B → A portal Peggy has secret S ∈ {MW[A, B], MW[B, A]} Peggy does not want Vic to know which of the two magic words she has.

Ali Baba’s ZK Protocol

A B E If C = A A B If C = B A B A B Peggy goes to B Vic goes to E C ←$ {A, B} “Peggy, please appear at C” A B E

If Peggy knows MW[A,B] : If Peggy knows MW[B,A] :

Final step, in either case:

Mihir Bellare, UCSD

Ali Baba’s ZK Protocol

Completeness: If Peggy’s claim is true, meaning she knows either MW[A,B] or MW[B,A], and both parties follow the protocol, then Vic will accept. Why? Peggy can appear at whatever side Vic requests.

SLIDE 3

Mihir Bellare, UCSD

Ali Baba’s ZK Protocol

Completeness: If Peggy’s claim is true, meaning she knows either MW[A,B] or MW[B,A], and both parties follow the protocol, then Vic will accept. Soundness: If Peggy’s claim is false, meaning she knows neither MW[A,B] nor MW[B,A], then Vic will reject with probability at least 1/2, even if Peggy cheats, meaning does not follow the prescribed protocol. Why? Cheating Peggy can start at any X 2 {A, B} of her choice, but Vic picks C

at random and cheating Peggy cannot appear at C 6= X.

Mihir Bellare, UCSD

Ali Baba’s ZK Protocol

Completeness: If Peggy’s claim is true, meaning she knows either MW[A,B] or MW[B,A], and both parties follow the protocol, then Vic will accept. Soundness: If Peggy’s claim is false, meaning she knows neither MW[A,B] nor MW[B,A], then Vic will reject with probability at least 1/2, even if Peggy cheats, meaning does not follow the prescribed protocol. Zero-knowledge: If Peggy’s claim is true, and Peggy follows the protocol, then Vic will not learn which of the two secrets MW[A,B], MW[B,A] Peggy knows.

Regardless of the secret, Vic sees Peggy appearing at whatever side he requests.

Why?

Mihir Bellare, UCSD

Ali Baba’s ZK Protocol

Pegg’s claim is Peggy is Vic will Completeness TRUE honest always accept Soundness FALSE cheating accept with probability at most 1/2 Zero-knowledge TRUE honest not learn which of the two secrets Peggy knows

Mihir Bellare, UCSD

Ali Baba’s ZK Protocol

This story may not make complete sense. To make zero-knowledge sensible, we need DEFINITIONS. The definitions are intriguing: how can one mathematically capture the ``knowledge’’ learned by interacting with another party?

Pegg’s claim is Peggy is Vic will Completeness TRUE honest always accept Soundness FALSE cheating accept with probability at most 1/2 Zero-knowledge TRUE honest not learn which of the two secrets Peggy knows

SLIDE 4

Mihir Bellare, UCSD

Zero-knowledge protocol for Quadratic Residuosity

Mihir Bellare, UCSD

Let N ≥ 1 be an integer. We say that x ∈ Z∗

N is a square-root of X ∈ Z∗ N modulo N if

x2 mod N = X. We say that X ∈ Z∗

N is a square, or quadratic residue, modulo N, if it has

a square root modulo N. SR(N, X) = {x 2 Z∗

N : X = x2 mod N}

QR(N) = {X 2 Z∗

N : SR(N, X) 6= ;}

QR = {(N, X) : N 1 and X 2 QR(N)} . The set of square roots of X modulo N The set of quadratic residues modulo N The language of quadratic residues Example: Let N = 11.

x 1 2 3 4 5 6 7 8 9 10 x2 mod 11 1 4 9 5 3 3 5 9 4 1

SR(11, 5) = {4, 7} SR(11, 6) = ∅ QR(11) = {1, 3, 4, 5, 9}

Some math definitions

Fact: Let X ∈ Z∗

N. Then X ∈ QR(N) if and only if X−1 mod N ∈ QR(N).

Fact: Let x, X ∈ Z∗

N. Then x ∈ SR(N, X) if and only if x−1 mod N ∈ SR(N, X−1 mod N).

Mihir Bellare, UCSD

SR(N, X) = {x 2 Z∗

N : X = x2 mod N}

QR(N) = {X 2 Z∗

N : SR(N, X) 6= ;}

QR = {(N, X) : N 1 and X 2 QR(N)} . The set of square roots of X modulo N The set of quadratic residues modulo N The language of quadratic residues

Complexity of QR

Input: (N,X) Question: Is (N,X) in QR? These problems are hard: There are no (known) efficient (polynomial-time) algorithms for them. But easy in some cases: There are polynomial-time algorithms when N is prime. Input: (N,X) in QR Find: A square root x of X modulo N Input: N Find: Some X in QR(N) This is easy: Pick x ←$ Z∗

and return X ← x2 mod N.

Mihir Bellare, UCSD

Peggy has x such that x2 mod N = X Prover Peggy Verifier Vic

Proving quadratic residuosity

Peggy claims that (N,X) is in QR. Both parties have (N,X), the common input (N,X) x The protocol is the prescribed, shown steps for the parties. A party can follow the protocol (it is honest) or not (it is cheating). Vic is always honest, but not so Peggy.

(N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating accept with probability at most 1/2 Zero-knowledge in QR honest not learn x

Return d ∈ {true, false} Definition: Vic accepts if d = true

SLIDE 5

Mihir Bellare, UCSD

A non-ZK protocol

Prover Peggy Verifier Vic (N,X) x Cmt Cmt ← x d ← (Cmt2 mod N = X) Return d ; (N,X) is Peggy is Vic will Completeness in QR honest always accept Peggy has x such that x2 mod N = X

Mihir Bellare, UCSD

A non-ZK protocol

Prover Peggy Verifier Vic (N,X) x Cmt Cmt ← x d ← (Cmt2 mod N = X) (N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating never accept Prover Peggy Verifier Vic (N,X) ? Cmt d ← (Cmt2 mod N = X) Return d ; Return d ; Cmt ← ?

Soundness: Peggy is cheating

But X 62 QR(N) means there does not exist Cmt such that Cmt2 mod N = X, so Vic will return d = false.

Mihir Bellare, UCSD

A non-ZK protocol

Prover Peggy Verifier Vic (N,X) x Cmt Cmt ← x d ← (Cmt2 mod N = X) (N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating never accept Zero-knowledge in QR honest learn x, so ZK fails Return d ; Peggy has x such that x2 mod N = X

Mihir Bellare, UCSD

Splitting

Proof Intuition: Proof, formally:

— If (Cmt 2 QR(N) and Y 2 QR(N)) then X 2 QR(N) — If X 62 QR(N) then (Cmt 62 QR(N) or Y 62 QR(N)) Suppose we split up X as: X = Cmt · Y mod N for some Cmt, Y ∈ Z∗

Then we have:

Fact:

√ Cmt · √ Y = √ Cmt · Y = √ X We are given that Cmt ∈ QR(N), so Cmt = c2 mod N for some c ∈ Z∗

We are given that Y ∈ QR(N), so Y = y2 mod N for some y ∈ Z∗

Let w = cy mod N Then w2 mod N = c2y2 mod N = Cmt · Y mod N But we are given that Cmt · Y mod N = X So w2 mod N = X So X ∈ QR(N)

SLIDE 6

Mihir Bellare, UCSD

Splitting for zero knowledge

X = Cmt · Y mod N

for some Cmt, Y ∈ Z∗

Then she makes two claims: Peggy splits up X as: Claim 0: Claim 1: Cmt ∈ QR(N) Y ∈ QR(N) Vic picks a bit Ch at random and asks: Peggy, please prove Claim Ch Peggy has x such that x2 mod N = X Prover Peggy Verifier Vic Peggy claims that (N,X) is in QR. Both parties have (N,X) (N,X) x Return d ∈ {true, false} Cmt Rsp Ch If Ch = 0 then Peggy sends Rsp = √ Cmt If Ch = 1 then Peggy sends Rsp = √ Y Soundness: If X is not in QR(N) then one of the two Claims is false, so Vic rejects with probability at least 1/2 ZK: Rsp does not reveal a square root of X Peggy does not want to reveal x

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

The ZK protocol for QR

Ch ←$ {0, 1} (N,X) is Peggy is Vic will Completeness in QR honest always accept Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Rsp2 mod N = (c−1 · xCh)2 mod N = (c2)−1 · (x2)Ch mod N = Cmt−1 · XCh mod N

Mihir Bellare, UCSD

? Cmt Rsp Ch

Soundness

Ch ←$ {0, 1} Let Y = Cmt−1 · X mod N, so that X = Cmt · Y mod N By assumption X 62 QR(N) So by Fact either Cmt 62 QR(N) or Y 62 QR(N) So d = false with probability at least 1/2 (N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating accept with probability at most 1/2 Prover Peggy Cmt ← ? Rsp ← ? Verifier Vic (N,X) d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d

Mihir Bellare, UCSD

Prover Peggy x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

The ZK protocol for QR

Ch ←$ {0, 1} (N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating accept with probability most 1/2 Zero-knowledge in QR honest learn nothing more about x than he knew before Verifier Vic (N,X) Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Rsp = c−1xCh mod N is a random square root of the random square Cmt−1 · XCh mod N

SLIDE 7

Mihir Bellare, UCSD

But what exactly does it mean that this protocol is zero knowledge? Next we give a DEFINITION and show that it is met.

(N,X) is Peggy is Vic will Completeness in QR honest always accept Soundness not in QR cheating accept with probability most 1/2 Zero-knowledge in QR honest learn nothing more about x than he knew before

Mihir Bellare, UCSD

Defining and proving ZK for Quadratic Residuosity

Note for experts: What we define here is honest-verifier, perfect zero knowledge for the QR protocol.

Mihir Bellare, UCSD

Prover Peggy x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

Transcripts

Ch ←$ {0, 1} The protocol is captured by the pair (P, V ) of algorithms describing the behavior of the prover and verifier depicted above. We want to define what it means for this pair to be zero-knowledge for the language QR. A protocol transcript is a possible sequence (Cmt, Ch, Rsp) of messages exchanged. This algorithm generates transcripts Note: The algorithm takes the secret x as input to do this! Verifier Vic (N,X) Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Tr(P,V )((N, X), x) c ←$ Z∗

N ; Cmt ← c2 mod N

Ch ←$ {0, 1} Rsp ← c−1xCh mod N T ← (Cmt, Ch, Rsp) Return T

Mihir Bellare, UCSD

Simulation

This algorithm generates transcripts ZK Intuition: The information conveyed by the protocol is the transcript T. ZK definition idea: (P,V) is zero knowledge if a transcript T, that looks just like a real one, can be (efficiently) generated, given (N,X) but not given x. The algorithm takes the secret x as input Two new members of the cast of characters

Simulator S Takes input (N,X) and generates a transcript T that is supposed to look like a real one. S does NOT get input x!

S (N,X) T

Distinguisher D Takes input T and tests whether T was generated by Tr or by S

D T b0 We call these transcripts real

To show that our protocol is ZK, we need to exhibit a good simulator S.

It fools D Tr(P,V )((N, X), x) c ←$ Z∗

N ; Cmt ← c2 mod N

Ch ←$ {0, 1} Rsp ← c−1xCh mod N T ← (Cmt, Ch, Rsp) Return T

SLIDE 8

Mihir Bellare, UCSD

Simulation

Let (P,V) be the prover-verifier pair defining the protocol. Let S be a candidate simulator. The adversary playing this game is the distinguisher D.

Probability that the game returns true when run with adversary D

Game ZK(P,V ),S Initialize b $ {0, 1} Finalize(b0) Return (b0 = b) Transcript((N, X), x) If (x2 mod N 6= X) then return ? If (b = 1) then T $ Tr(P,V )((N, X), x) Else T $ S((N, X)) Return T Advzk

(P,V ),S(D) = 2 ·

z }| { Pr[ZKD

(P,V ),S] −1

Def: S is a

good!

z }| { zk simulator for (P, V ) over QR if Advzk

(P,V ),S(D) = 0

for all distinguishers D. Def: (P, V ) is a zero-knowledge protocol for language QR if there exists an efficient zk simulator S for (P, V ) over QR.

Polynomial time, in length of input to S Here, O(k3), where k is the length of N

To show that our protocol is ZK, we need to exhibit an efficient zk simulator S.

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

A simulator for the QR protocol?

Ch ←$ {0, 1} Task: Exhibit an efficient simulator S such that Advzk

(P,V ),S(D) = 0 for all

distinguishers D.

zk simulator? Efficient? Yes No

This operation cannot be efficiently performed. Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d S((N, X)) must return T = (Cmt, Ch, Rsp) such that Rsp2 ≡ Cmt−1·XCh (mod N). Simulator S2((N, X)) x ←$ SR(N, X) T ←$ Tr(P,V )((N, X), x) Return T

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

A simulator for the QR protocol?

Ch ←$ {0, 1} Task: Exhibit an efficient simulator S such that Advzk

(P,V ),S(D) = 0 for all

distinguishers D.

zk simulator? Efficient? ? Yes

Simulator S0((N, X)) c ←$ Z∗

N ; Cmt ← c2 mod N

Ch ← 0 ; Rsp ← c−1 mod N T ← (Cmt, Ch, Rsp) Return T Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Check: Looking good … ? But we always have Ch = 0 ! Cmt−1 · XCh mod N = (c2)−1 · X0 mod N = (c−1)2 mod N = Rsp2 mod N S((N, X)) must return T = (Cmt, Ch, Rsp) such that Rsp2 ≡ Cmt−1·XCh (mod N).

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

A simulator for the QR protocol?

Ch ←$ {0, 1} Task: Exhibit an efficient simulator S such that Advzk

(P,V ),S(D) = 0 for all

distinguishers D.

zk simulator? Efficient? No Yes

Simulator S0((N, X)) c ←$ Z∗

N ; Cmt ← c2 mod N

Ch ← 0 ; Rsp ← c−1 mod N T ← (Cmt, Ch, Rsp) Return T Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Attack: Advzk

(P,V ),S0(D) = 1/2

Distinguisher D T ←$ Transcript((11, 9)) (Cmt, Ch, Rsp) ← T If (Ch = 0) then return 0 else return 1 S((N, X)) must return T = (Cmt, Ch, Rsp) such that Rsp2 ≡ Cmt−1·XCh (mod N).

SLIDE 9

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

A simulator for the QR protocol!

Ch ←$ {0, 1} Task: Exhibit an efficient simulator S such that Advzk

(P,V ),S(D) = 0 for all

distinguishers D.

zk simulator? Efficient? Yes Yes

Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Simulator S((N, X)) Ch ←$ {0, 1} ; Rsp ←$ Z∗

Cmt ← Rsp−2 · XCh mod N T ← (Cmt, Ch, Rsp) Return T Check: Looking good … ? And it is good … S((N, X)) must return T = (Cmt, Ch, Rsp) such that Rsp2 ≡ Cmt−1·XCh (mod N). Cmt−1 · XCh mod N = (Rsp−2 · XCh)−1 · XCh mod N = Rsp2 · X−Ch · XCh mod N = Rsp2 mod N

Mihir Bellare, UCSD

Prover Peggy Verifier Vic (N,X) x Cmt Rsp Ch c ←$ Z∗

N ; Cmt ← c2 mod N

A simulator for the QR protocol!

Ch ←$ {0, 1}

zk simulator? Efficient? Yes Yes

Rsp ← c−1 · xCh mod N d ← (Rsp2 ≡ Cmt−1 · XCh (mod N)) ; Return d Simulator S((N, X)) Ch ←$ {0, 1} ; Rsp ←$ Z∗

Cmt ← Rsp−2 · XCh mod N T ← (Cmt, Ch, Rsp) Return T The trick is for the simulator to pick the components of the transcript out of order: first it picks Ch, Rsp and then it computes Cmt to match.

Mihir Bellare, UCSD

We gave a definition of what it means for the above protocol to be ZK. To show that this definition was met, we exhibited the above simulator.

Simulator S((N, X)) Ch ←$ {0, 1} ; Rsp ←$ Z∗

Cmt ← Rsp−2 · XCh mod N T ← (Cmt, Ch, Rsp) Return T

Mihir Bellare, UCSD

Zero-knowledge beyond Quadratic Residuosity

SLIDE 10

Mihir Bellare, UCSD

Research

Research on zero-knowledge protocols

Considers different forms: perfect, statistical, computational, concurrent,

malleable, non-malleable, reset-secure, non-interactive, succinct, …

Gives lots of protocols: For NP languages, for graph non-isomorphism, for

PSPACE, with constant rounds, …

Mihir Bellare, UCSD

Utility?

In theory, zero-knowledge has lots of applications. Much recent work on efficient implementations. In systems for anonymous credentials and smart contracts. People who work on it like to claim it is practical.