1 / 46

How to Stop Cheaters In Zero-Knowledge Interactive Proofs

How to Stop Cheaters In Zero-Knowledge Interactive Proofs. Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT). Proof: … ……….. …. . Proofs and Zero-Knowledge. Zero-Knowledge: yeild nothing beyond validity of assertion

stephanie-snider
Download Presentation

How to Stop Cheaters In Zero-Knowledge Interactive Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Stop CheatersIn Zero-KnowledgeInteractive Proofs Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)

  2. Proof: … ………..…. Proofs and Zero-Knowledge • Zero-Knowledge: yeild nothing beyond validity of assertion • Usual proof: - Convincing - Lots of Knowledge • New Notion of Proof: • Interactive Process: Prover tries to convince Verifier • Probabilistic Confidence I understand! I tell you, PNP! How’s that?

  3. Interactive Proof System[GMR]for a language L v1 p1 v2 pk accept/reject Verifier Prover • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x belongs to language L. • (Completeness): When xL, Verifier accepts with high prob. • (Soundness): When xL, no matter what strategy Prover uses, Verifier accepts with low prob.

  4. 3 3 4 4 2 2 1 1 5 5 6 6 8 8 7 7 Graph Isomorphism The Problem: G1 G0 Are these graphs the same under a relabeling of vertices? YES 1 2 3 4 5 6 7 8 6 2 8 1 4 5 3 7 Relabeling: G0 G1

  5. Zero Knowledge Proof System [GMW] Prover Verifier Let H be graph obtained by random relabelingof G0 H Pick G0 or G1 at random: bÎR {0,1} b Let  be therelabeling H Gb  Check if  maps H Gb. If so, accept. If not, reject.

  6. G1 G0 H Why it works • Honest Verifier Simulator : • - Pick G0 or G1 at random first: bÎR {0,1}. • - Then let H be graph obtained by random • relabeling of Gb -- and call the relabeling . • Output (H, b,  ). • General Verifiers... Protocol H: rdm relabeling Of G0 b: random bit : relabeling H Gb Simulator H: rdm relabeling Of Gb b: random bit : relabeling H Gb

  7. Zero-Knowledge (ZK) • Zero-Knowledge means Verifier learns nothing except truth of assertion. • Implementation Idea: v1 When assertion is true, Verifier can produce transcripts of the interaction on her own. p1 v2 pk accept/reject • Scope: • Honest Verifier • Any Verifier

  8. Statistical Zero-Knowledge (SZK)Proof Systems[GMR]:Honest and General • Proof system for L is statistical zero-knowledgefor the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulatorS such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover. • Proof system for L is statistical zero-knowledgefor General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulatorS such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

  9. Statistical Difference metric between distributions statistically close means statistical difference is exponentially small in input sizen =|x|.

  10. Our Results We show how to transform proofs ZK for the Honest Verifier into ones ZK for Any Verifier. Why? • Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well. • Methodology: • Design an HVZK proof • Transform into General ZK proof

  11. Our Results (really) • For Public-Coin Statistical Zero-Knowledge Proof Systems: • Show how to transform any proof ZK • for Honest Verifier into proof ZK for Any Verifier. • No computational assumptions needed for transformation. • ZK condition holds even for computationally unbounded Verifiers • For SZK, [Oka96] gives a transformation:HV  Public-Coin HV. We transform:Public-Coin HV  General Hence, HV  General w/o Public Coins.

  12. Random Coins ÎR Public Coin Proofs[Babai] Arthur (Verifier) Merlin (Prover) Random Coins ÎR Response Response Accept/Reject

  13. Previous Work • Assuming one-way functions exist,HV  General. [BMO90, OVY93, Oka96] • Without such assumptions: but restricted to constant rounds, Public Coin HV  General. [Dam94, DGW94]

  14. Techniques • Main Ingredients: • A new Random Selection Protocol. • A new Hashing Lemma about 2-universal hash functions.

  15. Random Selection • Two distrustful parties agree on a random string. • If any one party is dishonest, output should still have random properties.

  16. Random Selection Random Selection The Transformation a1 b1 ar Arthur br Merlin a1 b1 Arthur Merlin ar br

  17. The Simulator Use the Honest-Verifier Simulator togenerate transcript: a1 b1 ar br a1 b1 ar br

  18. Desired Properties ofRandom Selection (RS)Protocol • When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted) • When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: • HV Simulator outputs nearly uniform a‘s.Hence, RS protocol must also. • Moreover, for almost every a, need to simulate RS protocol to output a.i.e. For almost any a, need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being a.

  19. Random Selection [DGW] Arthur selects “random” partition of message space into cells of size poly(n). Merlin Arthur Cell Cell ÎRpartition aÎRCell a • When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of a’s. • Yields result only for constant round. • We fix this.

  20. Our Solution [DGW] RS protocol Set S of 2n a’s Arthur Merlin a a ÎR S • Use [DGW] protocol to select randomly among sets of 2n possible a’s. • Any 1/poly(n) fraction of such sets will cover the space of a’s almost uniformly. Accept/Reject

  21. Hash Functions • We use hash functions to describe setsof a’s. We will use h-1(0) to be our set of a’s. • For almost all h’s, h-1(0) is of size 2n. • H is a 2-universal family of hash functions, so a’s will be “well spread” over sets h-1(0). Accept/Reject

  22. New Random Selection Arthur selects “random” partition of Hinto cells of size poly(n). Merlin Arthur Cell Cell ÎRpartition hÎRCell h a aÎRh-1(0)

  23. Simulation ofRandom Selection (RS) • The random tape of Arthur is already fixed; Arthur is deterministic. • Simulator, on input a: • Obtains Arthur’s partition p. • Chooses cell y randomly among cells containing some h such that h(a)=0: • If Arthur picks h such that h(a)=0, output (p,y,h,a). Otherwise repeat. Why does this work?

  24. RS Protocol & Simulator Merlin Arthur Cell Cell ÎRpartition hÎRCell h a aÎRh-1(0) • Simulator, on input a: • Obtains Arthur’s partition p. • Chooses cell y randomly among cells containing some h such that h(a)=0. • If Arthur picks h such that h(a)=0, output (p,y,h,a). Otherwise repeat.

  25. New Hashing Lemma Let Í H be any set of size |{hBlue|h()=0}| |Blue|  |{h |h()=0}| | | (Hence the simulation is polynomial time) Moreover, the statistical difference between the following two distributions is at most 2-W(n) : {hBlue|h()=0} (Hence the simulation is statistically close.)

  26. Desired Properties ofRandom Selection (RS)Protocol • When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted) • When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: • HV Simulator outputs nearly uniform a‘s.Hence, RS protocol must also. • Moreover, for almost every a, need to simulate RS protocol to output a.i.e. For almost any a, need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts that output a.

  27. Conclusions • We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier. • HVSZK = SZK • We give a new Hashing Lemma which may be of independent interest.

  28. Statistical Zero-Knowledge (SZK)Proof Systems[GMR]:Honest and General • Proof system for L is statistical zero-knowledgefor the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulatorS such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover.

  29. Proof system for L is statistical zero-knowledgefor General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulatorS such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

  30. Test This is the beginning of the end, he said. There is no hope. What’s the use in going on? We’re all dead anyway… The door opened. Hello there, my friend. Hello there, my friend. Hello there, my friend.

  31. Desired Properties ofRandom Selection (RS)Protocol • When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted) • When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: • HV Simulator outputs nearly uniform a‘s.Hence, RS protocol must also. • Moreover, for almost every a, need to simulate RS protocol to output a.i.e. Conditioned on a fixed a, need Simulator distribution to be statistically close to distribution of actual RS transcripts that output a.

  32. Computational Honest Statistical General Zero-Knowledge (ZK) • Zero-Knowledge means Verifier learns nothing except truth of assertion.Formally, can simulate interaction. Quality Scope We give a transformation: Proof ZK for Honest Verifier Proof ZK for General Verifiers

  33. Zero-Knowledge • Zero-Knowledge means Verifier learns nothing except truth of assertion. • Two classes of Verifiers: • Honest - follows the protocol • General- employs any strategy We give a transformation: Proof ZK for Honest Verifier Proof ZK for General Verifiers

  34. v1 p1 vk pk vk+1 Simulator Verifier Definitions Black-Box Simulator: Random Tape Simulator Verifier Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.

  35. Zero-Knowledge Proof [GMR85] v1 When assertion is true, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, a proof system is Statistical ZK iffor every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover. Computational ZK : require simulator distribution to be computationally indistinguishable rather than statistically close.

  36. Our Results • For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK: • Show how to transform any proof ZK • for Honest Verifier into proof ZK for Any Verifier. • For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK. • No computational assumptions • ZK condition holds even for computationally unbounded Verifiers

  37. Previous Work • For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88] • For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96] • For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]

  38. Desired Properties ofRandom Selection (RS) • Dishonest Merlin: OK for Soundness by parallel repetitionof Original Proof System. • Dishonest Arthur: • Outcome a almost uniform. • For every a, can simulate RS to produce a. i.e. Conditioned on a fixed a, the simulator distribution is statistically close to distribution of actual RS transcripts that produce a.

  39. Random Selection [DGW] Arthur selects “random” partition of message space into cells of size poly(n). Merlin Arthur Cell Cell ÎRpartition aÎRCell a • Dishonest Merlin can cause at most 1/poly(n) statistical deviation. • For Dishonest Arthur: can simulate for only a 1/poly(n) fraction of a’s. • Yields result only for constant round. • We fix this.

  40. Properties ofRandom Selection (RS) • Dishonest Merlin: Still OK for Soundness. • Dishonest Arthur: • Outcome a almost uniform. • For almost every a, can simulate RS to produce a. i.e. Conditioned on a fixed a, the simulator distribution is statistically close to distribution of actual RS transcripts that produce a.

  41. Random Coins Response Public Coin Proofs[Babai] Arthur Merlin Random Coins Response Accept/Reject

  42. Properties ofRandom Selection (RS) • Dishonest Merlin: Still OK for Soundness. • Dishonest Arthur: • Outcome a almost uniform. • For almost every a, can simulate RS to produce a. i.e. Conditioned on a fixed a, the simulator distribution is statistically close to distribution of actual RS transcripts that produce a.

  43. New Hashing Lemma Let ÍH be any set of size (Hence the simulation is polynomial time) Moreover, the statistical difference between the following two distributions is at most 2-W(n) : (Hence the simulation is statistically close.)

  44. Conclusions • We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier. • HVSZK = SZK • Public-Coin HVCZK= Public-Coin CZK • We give a new Hashing Lemma which may be of independent interest.

  45. Honest-Verifier Statistical Zero-Knowledge EqualsGeneral Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)

More Related