Zero Knowledge Proofs - PowerPoint PPT Presentation

Loading...

PPT – Zero Knowledge Proofs PowerPoint presentation | free to download - id: 6b6b2c-ZGJlO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Zero Knowledge Proofs

Description:

Zero Knowledge Interactive proof for Graph Isomorphism-cont. Building simulator M* for graph isomorphism problem We will define simulator M* as follows: ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 36
Provided by: uCsBiuAc
Category:
Tags: graph | knowledge | proofs | zero

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Zero Knowledge Proofs


1
Zero Knowledge Proofs

2
Interactive proof
  • An Interactive Proof System for a language L is
    a two-party game between a verifier and a prover
    that interact on a common input in a way
    satisfying the following properties

3
Interactive proof
  • The verifiers strategy is a probabilistic
    polynomial-time procedure.
  • Correctness requirements
  • Completeness There exists a prover strategy P,
    such that for every x?L, when interacting on a
    common input x, the prover P convinces the
    verifier with probability at least 2/3.
  • Soundness For every x?L, when interacting on the
    common input x, any prover strategy P convinces
    the verifier with probability at most 1/3.

4
Zero Knowledge Proof
  • Let (P,V) be an interactive proof system for some
    language L. We say that (P,V), actually P, is
    zero-knowledge if for every probabilistic
    polynomial-time ITM V there exists a
    probabilistic polynomial-time machine M s.t. for
    every x?L holds
  • ltP,Vgt(x)x?L ? M(x)x?L
  • Machine M is called the simulator for the
    interaction of V with P.

5
Perfect Zero Knowledge
  • Definition
  • Let (P,V) be an interactive proof system for
    some language L. We say that (P,V), actually P,
    is perfect zero-knowledge (PZK) if for every
    probabilistic polynomial time ITM V there exists
    a probabilistic polynomial-time machine M s.t.
    for every x?L the distributions ltP,Vgt(x)x?L
    and M(x)x?L are identical, i.e.,
    ltP,Vgt(x)x?L ? M(x)x?L

6
Statistical Zero Knowledge
  • Definition
  • Let (P,V) be an interactive proof system for some
    language L. We say that (P,V), actually P, is
    statistical zero knowledge (SZK) if for every
    probabilistic polynomial time verifier V there
    exists a probabilistic polynomial-time machine M
    s.t. the ensembles ltP,Vgt(x)x?L and M(x)x?L
    are statistically close.

7
Statistical Zero Knowledge
  • Definition-cont.
  • The distribution ensembles Axx?L and Bxx?L
    are statistically close or have negligible
    variation distance if for every polynomial p()
    there exits integer N such that for every x?L
    with x ? N holds ?? Pr Ax ? Pr Bx
    ? ? p(x)-1

8
Computational Zero Knowledge
  • Definition
  • Let (P,V) be an interactive proof system for some
    language L. (P,V), actually P, is computational
    zero knowledge (CZK) if for every probabilistic
    polynomial-time verifier V there exists a
    probabilistic polynomial-time machine M s.t. the
    ensembles ltP,Vgt(x)x?L and M(x)x?L are
    computationally indistinguishable.

9
Computational Zero Knowledge
  • Definition
  • Two ensembles Axx?L and Bxx?L are
  • computationally indistinguishable if for
  • every probabilistic polynomial time
  • distinguisher D and for every polynomial p()
  • there exists an integer N such that for every
  • x?L with x ? N holds
  • Pr D(x,Ax) 1 Pr D(x,Bx) 1 ? p(x)-1

10
Graph Isomorphism problem
  • Definition
  • Graph Isomorphism two graphs G0 (V0,E0) and G1
    (V1, G1) are isomorphic ? ? permutation ?
  • s.t
  • ? (u,v) ? E0 ?(? (u), ?(v)) ? E1
  • if G0 and G1 are isomorphic and ? is an
    isomorphism between G0 to G1 we write G1 ?(G0)
    .

11
Graph Isomorphism problem
  • Graph Isomorphism problem Given Two Graphs G1
    and G2 Are They Isomorphic ?
  • Lemma GI ?ZK
  • Proof Zero Knowledge Interactive Proof for GI.

12
Zero Knowledge Interactive proof for Graph
Isomorphism
  • 1. Repeat the following n times
  • 2. The Prover chooses a random permutation ? of
    (1n) and computes H ?(G1) and send it to the
    verifier.
  • 3. The verifier chooses randomly i1 or 2 and
    sends it to the prover.

13
Zero Knowledge Interactive proof for Graph
Isomorphism-cont.
  • 4. The prover chooses permutation ? s.t H
    ?(Gi).
  • If i1 the prover sends ? to the verifier
    otherwise the prover will send ? ?-1 .(? is the
    isomorphism between G1 and G2.
  • 5. The verifier checks if H is the image of Gi
    under ?.
  • 6. The verifier accepts if H is the image of Gi
    in all n rounds.

14
Zero Knowledge Interactive proof for Graph
Isomorphism-cont.

Prover
Verifier
? H ?(G1)
i1,2
R
? or ? ?-1
Checks if H is the image of Gi
15
Building simulator M for graph isomorphism
problem
  • We will define simulator M as follows
  • Input(G0, G1) ? ISO
  • 1.Randomly chooses a random string RANDOM and
    puts it on the Random tape of Verifier V.
  • 2. Randomly chooses a ?0,1 and permutation ?
    and construct H ?(Ga) send H to V .

16
Building simulator M for graph isomorphism
problem
  • 3. Receive b from V .
  • If b ?0,1 then outputs RANDOM,H,b and
    STOP.
  • If a b then outputs RANDOM,H,b, ? and
    STOPelse GOTO 1 .

17
Zero-Knowledge Password Proofs
  • 1. The prover finds two large primal numbers - p
    and q and sends npq to the verifier
  • 2. r is a random number belongs to n, n4. The
    prover sends x2 modn and r2 modn to the verifier.
  • 3. The verifier then randomly asks for r or xr
    and checks the prover.

18
Zero-Knowledge Password Proofs
Prover
Verifier

npq x2 modn r2 modn
Asks for xr or r
xr or r
Checks the Prover
19
NP and Zero Knowledge proofs
  • Lemma NP?ZK
  • Proof 3col?ZK .

20
Zero Knowledge proof for 3col problem
  • 1. The prover randomly chooses a permutation ?.
    Computes ?(c(v)), puts in envelopes and sends to
    the verifier.
  • 2. The verifier chooses randomly
  • (u,v) ?E and opens the envelope.
  • If the colors are different and legal he answers
    yes.

21
Zero Knowledge proof for 3col problem
Prover
Verifier

permutation ?. ?(c(v))
Chooses (u,v) ?E
envelope
Checks that colors are different
22
ZK protocol for Co-SAT
  • Transform the CNF to a polynom by these
    transformation rules
  • 1. T ? positive value
  • 2. F ? 0
  • 3. Xi ? Xi
  • 3. ? Xi ? (1-Xi)
  • 4. OR ?
  • 5. AND ?

23
ZK protocol for Co-SAT
  • The protocol
  • 1. The prover selects a prime number q gt 2n 3m
    and sends to the verifier.
  • 2. The verifier checks that q is prime. If q
    isnt prime halts and rejects.

24
ZK protocol for Co-SAT
  • 3. V0 is at the initialized at value zero. The
    prover does the following for i1n. The prover
    computes polynom Pi that its rank is at most m .
  • The construction of Pi
  • P1(x) ? xn 0,1. ? xn0,1 p(x1 xn)
  • P2(x) ? xn 0,1. ? xn0,1 p(r1,x, x3 xn)
  • Pn(x) p(r1,... Rn-1, xn ) the prover puts
    polynom Pi in envelopes and send to the verifier.

25
ZK protocol for Co-SAT
  • 4. The prover moves to the next stage(ii1).
  • 5. We know that the verifier will accept
  • if ? r1 ri rn s.t Pi(0) Pi(1) vi -1modq.
  • Since checking each assignment is polynomial this
    problem is in NP .
  • We can now do a reduction from any NP problem to
    3col ? ZK .

26
ZK protocol for Graph non isomorphism
  • Definition
  • Graph non Isomorphism given two graphs G0
    (V0,E0) and G1 (V1, G1) .
  • (G0, G1 )?GNI ?
  • there is no permutation ?
  • s.t
  • ? (u,v) ? E0 ?(? (u), ?(v)) ? E1

27
ZK protocol for Graph non isomorphism
  • 1. The verifier chooses randomly a number i
    ?(0,1) . The verifier chooses a random
    permutation ? and computes H ? (Gi). Then the
    verifier chooses randomly j ?(0,1) . The verifier
    creates the pair of graphs (H0, H1) such that
  • if j0
  • H0 is a permutation of G0
  • H1 is a permutation of G1

28
ZK protocol for Graph non isomorphism
  • if j1
  • H0 is a permutation of G1
  • H1 is apermutation of G0
  • the verifier sends H and the pair (H0, H1).

29
ZK protocol for Graph non isomorphism
  • 2. The prover chooses randomly
  • b ?(0,1) . The prover sends b to the verifier .
  • If b0 then the verifier sends the prover the
    isomorphism between (G0, G1) and (H0, H1).
  • If b1 the verifier sends the prover the
    isomorphism between H and (H0, H1) .

30
ZK protocol for Graph non isomorphism
  • 3. The prover checks that the right isomorphism
    is sent otherwise it stops. the prover computes b
    such that Gb is isomorphic to H and sends b to V
    . If there is no such b , the prover sends a
    random b.
  • 4. The verifier accepts if jb.

31
ZK protocol for Graph non isomorphism
Prover
Verifier

1. i ?(0,1) 2.H ? (Gi) 3. H and the pair (H0,
H1)
1.Isomorphism between (G0, G1) and (H0, H1).
OR 2.Isomorphism between (H0, H1) and H.
Check isomorphism computes b
checks that jb
32
ZK protocol for Graph non isomorphism
  • Lemma GNI ? PZK
  • Proof building M
  • s.t ltP,Vgt(x)x?L ? M(x)x?L
  • 1. The machine M takes random string of bits and
    puts ot on a Random tape.

33
ZK protocol for Graph non isomorphism
  • Mv does the following n times
  • 2. Mv waits to get H and the pair (H0, H1) from
    V .
  • 3. Mv chooses a random b .
  • 4. Mv gets from V the isomorphism between H
    and (H0, H1) and (G0, G1). Mv checks if it is
    not the right isomorphism it stops.

34
ZK protocol for Graph non isomorphism
  • Otherwise1. Returns V to the point after H and
  • (H0, H1) were received.
  • 2. choose b again and sends to V
  • 3. Waits to get I from V
  • I- isomorphism received from V.

35
ZK protocol for Graph non isomorphism
  • If b?b then the Mv finds isomorphism from I and
    I, from G0,G1 to (H0, H1) and from (H0, H1) to
    H. The machine uses this information to find
    Isomorphism from H to G0 , G1.
  • 4. The machine Mv uses this information to
    compute V and sends it to V.
About PowerShow.com