1. No category

Lecture 11: Zero-Knowledge Proofs II, Commitments, Coin Flipping

Lecture 11: Zero-Knowledge Proofs II,
Commitments, Coin Flipping, Hardcore Bits
Introduction to Modern Cryptography∗
Benny Applebaum
Tel-Aviv University
Fall Semester, 2011–12
∗
Some of these slides are based on Benny Chor’s slides.
Reminder: Honest-Verifier Zero-Knowledge Proofs
The view viewV (x) of the verifier V in a proof system is a random
variable that consists of the public input x, the internal randomness
of V , and the incoming messages.
Definition (Honest Verifier Perfect Zero-Knowledge Proofs)
An HVZK system for a language L is a proof system (P, V ) that has
an efficient simulator S that runs in expected polynomial time such
that for every x ∈ L
S(x) ≡ viewV (x).
Note: Zero-knowledge Should hold only for x ∈ L !
Today: require ZK against a cheating verifier
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
2 / 29
Zero-Knowledge Proofs with Cheating Verifier
Definition (Zero-Knowledge Proofs)
A ZK system for a language L is a proof system (P, V ) that for every
verifier V ∗ there exists an efficient simulator S = SV ∗ such that for
every x ∈ L
S(x) ≡ viewV ∗ (x).
Simulator is allowed to run in expected polynomial time
≡ means that the two r.v.’s are identically distributed
Computational variant: S(x) and viewV (x) are (t, )
indistinguishable.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
3 / 29
Back to Graph Isomorphism
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky
← H = σ(G0 )
R
Peggy (π)
R
b ← {0, 1}
b→
(
σ
←α=
σ◦π
σ←Π
if b = 0,
if b = 1.
Honest Verifier ZK:
R
R
R
Vicky’s view is H ← Iso(G0 ), b ← {0, 1}, α ← Π s.t H = α(Gb )
where Iso(G0 ) is the group of all Graphs isomorphic to G0
R
R
Simulator S: α ← Π, b ← {0, 1}, H = α(Gb )
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
4 / 29
What about a Cheating Verifier?
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
← H = σ(G0 )
b ←?
Peggy (π)
R
b→
(
σ
←α=
σ◦π
R
σ←Π
if b = 0,
if b = 1.
R
V ∗ view is H ← Iso(G0 ), b ←?, α ← Π s.t H = α(Gb )
R
R
Old simulator: α ← Π, b ← {0, 1}, H = α(Gb )
Does not work: viewV ∗ (G0 , G1 ) 6 ≡S(G0 , G1 )
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
5 / 29
Simple Cheating Verifier
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
← H = σ(G0 )
b ←1
Peggy (π)
R
b→
(
σ
←α=
σ◦π
R
σ←Π
if b = 0,
if b = 1.
R
V ∗ view is H ← Iso, b ← 1, α ← Π s.t H = α(Gb )
R
Simulator: α ← Π, b ← 1, H = α(Gb )
Works well: viewV ∗ (x) ≡ S(x)
In general, if we can predict b at the beginning we are good !
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
6 / 29
What if b is hard to predict?
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
← H = σ(G0 )
b←
SHA2(H)
Peggy (π)
R
b→
(
σ
←α=
σ◦π
R
σ←Π
if b = 0,
if b = 1.
R
V ∗ view is H ← Iso, b ← SHA2(H), α ← Π s.t H = α(Gb )
R
Simulator: α ← Π, b ← SHA2(?), H = α(Gb )
Houston we have a problem....
Idea: Guess b at the beginning succeeds w/p 1/2, if failed try again
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
7 / 29
General Cheating Verifier
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
← H = σ(G0 )
b ←?
Peggy (π)
R
b→
(
σ
←α=
σ◦π
R
σ←Π
if b = 0,
if b = 1.
R
V ∗ view is H ← Iso, b ←?, α ← Π s.t H = α(Gb )
∗
Simulator S V :
R
R
1 α ← Π, b0 ← {0, 1}, H = α(G 0 )
b
2 Invoke b ← V ∗ (G , G , H)
0
1
3 If b = b0 output (α, b0 , H); Otherwise, goto 1.
∗
Analysis: viewV ∗ (G0 , G1 ) ≡ S V (G0 , G1 ) why?
Expected Running Time: 2· running-time of V ∗ = polynomial – why?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
8 / 29
Repetition
Recall that the basic proof system had soundness error 1/2
To amplify soundness error we repeated t times either in parallel
or sequentially
HV zero-knowledge is preserved under parallel/sequential
repetition
What about general zero-knowledge?
It turns out that cheating verifier zero-knowledge is preserved under
sequential repetition but not under parallel repetition
Let’s see why
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
9 / 29
Simulating Cheating Verifier under Parallel Repetition?
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
~ = ~σ (G0 )
←H
~b ←?
Peggy (π)
R
~b →
~σ ← Πt
← αi = σi ◦ π bi
∗
Simulator S V :
R
R
1 α
~ ← Πt , ~b0 ← {0, 1}t , Hi = αi (Gb0i )
2
3
~
Invoke ~b ← V ∗ (G0 , G1 , H)
0
~ Otherwise, goto 1.
If ~b = b~0 output (~
α, ~b , H);
Expected Running Time: 2t ·running-time of V ∗ = exponential in t !
In general, parallel repetition does not preserve ZK !
Open: Is this protocol secure under parallel repetition?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
10 / 29
Simulating Cheating Verifier under Sequential Repetition?
Public statement: G0 = (V, E0 ) is isomorphic to G1 = (V, E1 )
Vicky∗
← Hi = σi (G0 )
bi ←?
Peggy (π)
R
bi →
σi ← Π
← αi = σi ◦ π bi
R
R
V ∗ view is (Hi ← Iso, bi ←?, αi ← Π)1≤i≤t s.t Hi = αi (Gb )
∗
Simulator S V : Let i = 1, while i ≤ t do:
R
R
αi ← Πt , b0i ← {0, 1}, Hi = αi (Gb0i )
2 Call b ← V ∗ (G , G , H , . . . , H
i
0
1
1
i−1 )
3 If b = b0 record (α , b0 , H ) and goto 1 with i = i + 1.
i
i i
i
i
4 Otherwise, rewind V ∗ one step, and repeat the i-th iteration.
Expected Running Time: 2t iterations = polynomial in t !
1
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
11 / 29
Zero-Knowledge Proof for NP
We will show a ZK proof system for every language in NP
I
I
E.g., m = pq where p and q are primes
E.g., c is an encryption under AES of a string that ends with 000
It suffices to do it for a single NP-hard language (Ex)
We will do it for graph 3-coloring
A graph G is 3-colorable if the nodes can be colored in 3 colors
s.t. neighboring nodes have distinct colors
How can we prove in zero-knowledge that a graph is 3-colorable?
Physical protocol
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
12 / 29
Tool: Commitment Scheme
Instead of using locked boxes the prover will commit to its coloring
R
Commitment: algorithm Comk (m) uses a random key k ← K to
commit to a value m
To open the commitment c reveal k and m and let the verifier
check that c = Comk (m).
Hiding: Comk (m) should be computationally indistinguishable
from Comk (m0 )
Binding: For every commitment c there exists a single valid
opening m, k.
Hence, after committing to m, it is impossible to change your
mind and open the commitment to a different value.
We will later see how to build commitments.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
13 / 29
ZK for 3-Colorability (Goldreich, Micali and Wigderson)
Public statement: G = (V = {1, . . . , n} , E) is 3-colorable.
Peggy knows a coloring ρ : V → {R, G, B}.
Let Π be the set of permutations over the colors {R, G, B}.
Vicky
R
← (ci = Comki (mi ))i∈V
Peggy (π)
R
(i, j) ← E
(i, j) →
R
π ← Π, ki ← K
mi = π(ρ(i))
← (mi , ki ), (mj , kj )
Accept iff:
ci = Comki (mi ), cj = Comkj (mj ), mi 6= mj , and mi , mj ∈
{R, G, B}
Completeness: Immediate.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
14 / 29
ZK for 3-Colorability (Goldreich, Micali and Wigderson)
Public statement: G = (V = {1, . . . , n} , E) is 3-colorable.
Peggy knows a coloring ρ : V → {R, G, B}.
Let Π be the set of permutations over the colors {R, G, B}.
← (ci )i∈V
Vicky
R
(i, j) ← E
(i, j) →
Peggy (π)
Crazy Computation
← (mi , ki ), (mj , kj )
Accept iff:
ci = Comki (mi ), cj = Comkj (mj ), mi 6= mj , and mi , mj ∈
{R, G, B}
Soundness:
Lemma: If G is not 3-colorable, the verifier rejects w/p ≥ 1/|E|.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
15 / 29
ZK for 3-Colorability (Goldreich, Micali and Wigderson)
Vicky
(i, j) ←?
← (ci = Comki (mi ))i∈V
Peggy (π)
R
R
π ← Π, ki ← K
mi = π(ρ(i))
(i, j) →
← (mi , ki ), (mj , kj )
∗
Zero-knowledge: The Simulator S V :
R
1 Guess (i0 , j 0 ) ← E
2 Color each node t by a random color m conditioned on
t
mi0 6= mj 0 .
(The coloring does not have to be legal)
3 Commit to the coloring c = Com (m )
i
i
ki
4 Invoke (i, j) ← V ∗ (G, ~
c)
5 If (i, j) = (i0 , j 0 ) output (~
c, (i, j), (mi , ki ), (mj , kj )); Otherwise,
goto 1.
What is the expected running time?
BennyWhy
Applebaum
(Tel-Aviv
University)
Modern Cryptography
– Lecture
11
Fall Semester, 2011–12
16 / 29
∗ (G)?
is the
output
indistinguishable
from
view
Riddle
Can you prove in Zero-Knowledge that you know how to solve to a
given Sodoku board?
Solution
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
17 / 29
More about Commitment Scheme
R
Commitment: algorithm Comk (m) uses a random key k ← K to
commit to a value x
Hiding: Comk (x) should be computationally indistinguishable
from Comk (x0 )
Binding: For every commitment c there exists a single valid
opening x, k.
Dual variant: Hiding is information theoretic and Binding holds only
computationally.
Q: Can you achieve both properties information-theoretically?
Commitments are extremely useful tools in crypto, we’ll see one
application and one construction of commitments.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
18 / 29
Coin Tossing Over the Phone
Alice and Bob talk on the phone/messanger/facebook/...
Alice: Let’s go to a movie
Bob: Let’s go to a concert
Alice: ok, let’s toss a coin, what do you choose ?
Bob: 0.
Alice: ok, I am tossing... bad for you the outcome is 1 !
Bob: Cheater !
Can two non trusting parties toss a fair coin over the phone?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
19 / 29
Using Commitment for Coin Tossing (Blum)
Bob
← A = Comk (a)
R
b ← {0, 1}
Alice
R
b→
R
a ← {0, 1}, k ← K
← k, a
If A = Comk (a) the outcome is a ⊕ b
Otherwise, Alice cheated and Bob can determine the result.
Analysis:
By hiding, the bit b is independent from a
By binding, the Alice cannot change the bit a after seeing b and
so a is independent of b
Hence, neither Alice nor Bob can bias the result
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
20 / 29
Constructing Commitments
There are several ways to construct Commitments.
We will show a construction based on Injective One-way functions
and Hardcore predicates.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
21 / 29
Hardcore Bits for One Way Functions
Let F : X → Y be a one-to-one one-way function.
Intuitively, B : X → {0, 1} is a hardcore bit for F if:
• x → B(x) is easy to compute
• F (x) → B(x) is hard to compute
Formally,
Definition
An efficiently computable predicate B : X → {0, 1} is (t, ) hard-core
bit for F if for every adversary A of complexity t:
Pr R [A(F (x)) = B(x)] ≤ 1/2 + .
x←X
Note that predicting B(x) cannot be harder than inverting F .
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
22 / 29
From Hardcore Bits to Bit Commitment Scheme
Let F : X → Y be a one-to-one OWF with hard-core bit
B : X → {0, 1}
Construction
R
To commit to a bit m ∈ {0, 1} under key x ← X let
Comx (m) = F (x), B(x) ⊕ m.
Binding:
For every commitment (y, b) there exists at most a single x s.t.
F (x) = y.
Hence, the commitment can be opened to at most single value:
m = b ⊕ B(x).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
23 / 29
From Hardcore Bits to Bit-Commitment Scheme
Let F : X → Y be a one-to-one OWF with hard-core bit
B : X → {0, 1}
Construction
R
To commit to a bit m ∈ {0, 1} under key x ← X let
Comx (m) = F (x), B(x) ⊕ m.
Hiding: Since B is hardcore bit it acts as a (computational) one-time
pad and hides x. Formally:
Comx (0) = (F (x), B(r)) ≈t, (F (x), σ) where σ is a random bit,
(F (x), σ) ≡ (F (x), σ ⊕ 1)
(F (x), σ ⊕ 1) ≈t, Comx (1) = (F (x), B(x) ⊕ 1)
Hence, Comx (0) ≈t, Comx (1)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
24 / 29
From Hardcore Bits to Bit-Commitment Scheme
Let F : X → Y be a one-to-one OWF with hard-core bit
R
B : X ← {0, 1}
Construction
R
To commit to a bit m ∈ {0, 1} under key x ← X let
Comx (m) = F (x), B(x) ⊕ m.
Remark: To commit to longer messages use concatenation (there are
other, more efficient, alternatives).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
25 / 29
Obtaining Hardcore Bits
Definition
An efficiently computable predicate B : X → {0, 1} is (t, ) hard-core
bit for F if for every adversary A of complexity t:
Pr R [A(F (x)) = B(x)] ≤ 1/2 + .
x←X
Typically, to prove that the B is a hardcore predicate we show
that computing B from random images y = F (x) allows to
invert the function.
Thus if F is indeed hard (we assumed it is one-way) then B(x)
cannot be computed from F (x).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
26 / 29
Example 1: DLOG (Blum-Micali)
Public Parameters: a prime p, and a generator g in Zp∗ .
Let X = Zp∗ , F (x) = g x mod p.
Is LSB(x) a hardcore predicate?
No (see Ex 3)
Let Halfp−1 (x) = 0 iff 1 ≤ x < (p − 1)/2
Is Halfp−1 (x) a hardcore predicate?
Yes!
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
27 / 29
Example 2: RSA (Alexi Chor Goldreich Schnorr)
Public Parameters: an RSA modulo N = pq (p and q are primes),
and an integer e which is relatively prime to ϕ(N ) = (p − 1)(q − 1).
∗ , F (x) = xe mod N .
Let X = ZN
Is LSB(x) a hardcore predicate?
Yes!
In fact, this is true for the i-th bit of x as well (for every i)!
(Håstad-Naslund)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
28 / 29
General One-Way Functions (Goldreich-Levin 89)
Let F : X → Y be any one-way function let n be the number of bits
of elements in X.
P
Define a randomized predicate B(x; r) = ni=1 xi ·ri (mod 2).
Thm: B(x; r) is a hardcore predicate for F , i.e., given F (x), r it is
(, t)-hard to predict B(x; r) for a random x, r.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 11
Fall Semester, 2011–12
29 / 29

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz