Post on 10-Aug-2020
Zero-Knowledge Proof
MUIC January 30, 2019
Wutichai Chongchitmate
Department of Mathematics and Computer Science, Faculty of Science, Chulalongkorn University,
Bangkok, Thailand
1. Zero-Knowledge Proofs
2. Applications
3. Limitations and Variants
Outline
Proof
x
Proof
πx Prove
Proof
πx Prove Verify {Accept
Reject
Proof
πx Prove Verify {Accept
Reject
→ 1
→ 0
P(x) V(x,π)
Proof
πx Prove Verify {Accept
Reject
→ 1
→ 0
P(x) V(x,π)
V(x,P(x)) = 1
⇔ x is true
Proof
πx Prove Verify {Accept
Reject
→ 1
→ 0
P(x) V(x,π)
Zero-Knowledge Proof
x
Zero-Knowledge Proof
π
x
Zero-Knowledge Proof
wreason why x is true
π
x
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1
π
x
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1 Probabilistic Polynomial Time (PPT)
π
x
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1 Probabilistic Polynomial Time (PPT)
π
x
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1 Probabilistic Polynomial Time (PPT)
π
x
w
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1 Probabilistic Polynomial Time (PPT)
π
x
w
Zero-Knowledge Proof
wreason why x is true
RL(x,w) = 1
w?
Probabilistic Polynomial Time (PPT)
π
x
NP Relation
⊆
≠
NP Relation
Relation RL X x W⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
w such that (x,w) ∈ RL
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
Difficult
w such that (x,w) ∈ RL
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
Difficult
w such that (x,w) ∈ RL
(x,w)
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
Difficult
w such that (x,w) ∈ RL
(x,w)
{1 if (x,w) ∈ RL
0 if (x,w) ∈ RL/
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
x
Difficult
w such that (x,w) ∈ RL
(x,w)
{1 if (x,w) ∈ RL
Efficient
0 if (x,w) ∈ RL/
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
RL(x,w) = 1
x
Difficult
w such that (x,w) ∈ RL
(x,w)
{1 if (x,w) ∈ RL
Efficient
0 if (x,w) ∈ RL/
⊆
≠
NP Relation
Relation RL X x W
Language L = {x | ∃w, (x,w) ∈ RL}
RL(x,w) = 1
x
Difficult
w such that (x,w) ∈ RL
(x,w)
{1 if (x,w) ∈ RL
Efficient
0 if (x,w) ∈ RL/
⊆
Assume P NP≠
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮
P ↔ V
/
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
P ↔ V
/
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
V(x,P(x)) = 1
⇔ x is true
P ↔ V
/
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
V(x,P(x)) = 1
⇔ x is true
P ↔ V
x ∈ L/
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
Completeness: x ∈ L ⇒ Pr[V → 1] > 1-ε
P ↔ V
Soundness: x ∈ L ⇒ Pr[V → 1] < ε/
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
Completeness: x ∈ L ⇒ Pr[V → 1] > 1-ε
P ↔ V
Soundness: x ∈ L ⇒ Pr[V → 1] < ε/
negligible
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
Completeness: x ∈ L ⇒ Pr[V → 1] > 1-ε
P ↔ V
Soundness: x ∈ L ⇒ Pr[V → 1] < ε/
negligible
∀c>0 ∀k > k0, ε(k)<1/kc
x
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
Completeness: x ∈ L ⇒ Pr[V → 1] > 1-ε
P ↔ V
Soundness: x ∈ L ⇒ Pr[V → 1] < ε/
negligible
∀c>0 ∀k > k0, ε(k)<1/kc
security parameterx
Interactive (Probabilistic) Proof [Goldwasser, Micali, Rackoff ’85]
P(Prover)
V(Verifier)
m1
m2
m3
mr
⋮{1
0
Completeness: x ∈ L ⇒ Pr[V → 1] > 1-ε
P ↔ V
Soundness: x ∈ L ⇒ Pr[V → 1] < ε/
x
Example 1
Example 1
Example 1
?
Example 1
Example 1
Example 1
Example 1
🤨
Example 1
/
Example 1
/
Example 1
/
Example 1
/
Example 1
/
⇔?
Example 1
Yes
/
⇔?
Example 1
x20
/
Example 1
x20
/
Example 1
x20
/
No⇔?
Example 1
x20Completeness: x ∈ L ⇒ Pr[V → 1] = 1
/
No
Example 1
x20Completeness: x ∈ L ⇒ Pr[V → 1] = 1
Soundness: x ∈ L ⇒ Pr[V → 1] = 1/220/
Example 1
x20Completeness: x ∈ L ⇒ Pr[V → 1] = 1
Soundness: x ∈ L ⇒ Pr[V → 1] = 1/220
≈1/1000000
/
Example 1
x20Completeness: x ∈ L ⇒ Pr[V → 1] = 1
Soundness: x ∈ L ⇒ Pr[V → 1] = 1/220
≈1/1000000
/
Example 1
x20Completeness: x ∈ L ⇒ Pr[V → 1] = 1
Soundness: x ∈ L ⇒ Pr[V → 1] = 1/220
?
/
Zero-Knowledge Proof
P V
m1
m2
m3
mr
⋮{1
0
{1
0
Zero-Knowledge Proof
P V
m1
m2
m3
mr
⋮{1
0
P(x,w) ↔ V(x) = {1
0
Zero-Knowledge Proof
P V
m1
m2
m3
mr
⋮{1
0
P(x,w) ↔ V(x) =
w?
{1
0
Zero-Knowledge
P V
m1
m2
m3
mr
⋮
Zero-Knowledge
P V
m1
m2
m3
mr
⋮
m1
m2
m3
mr
⋮
VP
Zero-Knowledge
V
m1
m2
m3
mr
⋮
VP
Zero-Knowledge
S(Simulator)
V
Zero-Knowledge
S(Simulator)
V
m1
m2
m3
mr
⋮
V
Zero-Knowledge
m1
m2
m3
mr
⋮
VP
S(Simulator)
V
m1
m2
m3
mr
⋮
V
≃
Zero-Knowledge
m1
m2
m3
mr
⋮
VP
S(Simulator)
V
m1
m2
m3
mr
⋮
V
≃ =≃s ≃c
Zero-Knowledge
m1
m2
m3
mr
⋮
VP
S(Simulator)
V
m1
m2
m3
mr
⋮
V
≃ =≃s ≃c
Efficient
Zero-Knowledge
m1
m2
m3
mr
⋮
VP
S(Simulator)
V
m1
m2
m3
mr
⋮
V
≃ =≃s ≃c
Efficient
Interactive Proof: (P,V) V ∈ PPT
Formal Definitions
Completeness: ∀(x,w) ∈ RL, Pr[P(x,w) ↔ V(x) = 1] > 1-ε
Soundness: ∀x ∈ L,∀P*, Pr[P*(x) ↔ V(x) = 1] < ε/
Zero-Knowledge Proof [GMR85]
Interactive Proof: (P,V) V ∈ PPT
Formal Definitions
Completeness: ∀(x,w) ∈ RL, Pr[P(x,w) ↔ V(x) = 1] > 1-ε
Soundness: ∀x ∈ L,∀P*, Pr[P*(x) ↔ V(x) = 1] < ε/
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Example 2: Graph 3-Colorability
P V
Example 2: Graph 3-Colorability
P V
Example 2: Graph 3-Colorability
P V
Example 2: Graph 3-Colorability
P V
Commitment
Example 2: Graph 3-Colorability
P V
AB
Example 2: Graph 3-Colorability
P V
AB
Example 2: Graph 3-Colorability
P V
repeat N times
Example 2: Graph 3-Colorability
P V
repeat N times
Example 2: Graph 3-Colorability
P V
repeat N times
Example 2: Graph 3-Colorability
P V
BC
repeat N times
Example 2: Graph 3-Colorability
P V
BC
repeat N times
Example 2: Graph 3-Colorability
P V
/
Example 2: Graph 3-Colorability
P V
Completeness: x ∈ L ⇒ Pr[V → 1] = 1
/
Example 2: Graph 3-Colorability
P V
Completeness: x ∈ L ⇒ Pr[V → 1] = 1
/
Example 2: Graph 3-Colorability
P V
CE
Completeness: x ∈ L ⇒ Pr[V → 1] = 1
/
Example 2: Graph 3-Colorability
P V
Completeness: x ∈ L ⇒ Pr[V → 1] = 1
/
reject
Example 2: Graph 3-Colorability
P V
Completeness: x ∈ L ⇒ Pr[V → 1] = 1
Soundness: x ∈ L ⇒ Pr[V → 1] = (|E|-1/|E|)N/
Example 2: Graph 3-Colorability
P V
Example 2: Graph 3-Colorability
P V
3-Colorability
NP-Complete and NP Reduction
source: https://en.wikipedia.org/wiki/NP-hardness
NP-Complete and NP Reduction
source: https://en.wikipedia.org/wiki/NP-hardness
Algorithm A solving NP-Hard Problem
NP-Complete and NP Reduction
source: https://en.wikipedia.org/wiki/NP-hardness
Algorithm A solving NP-Hard Problem
Algorithm B solving NP Problem using A in polynomial steps
NP-Complete and NP Reduction
source: https://en.wikipedia.org/wiki/NP-hardness
Algorithm A solving NP-Hard Problem
Algorithm B solving NP Problem using A in polynomial steps
• Graph Coloring• Hamiltonian Path/Cycle• Subgraph Isomorphism• Boolean Satisfiability• etc.
Non-Interactive Zero-Knowledge Proof (NIZK)
P V
Non-Interactive Zero-Knowledge Proof (NIZK)
P V
π
Non-Interactive Zero-Knowledge Proof (NIZK)
P V
π
Common Reference String (CRS)
01110011110000110101
Non-Interactive Zero-Knowledge Proof (NIZK)
P V
π
Common Reference String (CRS)
01110011110000110101
Hamiltonian Cycle Problem
1. Zero-Knowledge Proofs
2. Applications
3. Limitations and Variants
Outline
Secure Authentication
ID, PWD
user server
Secure Authentication
ID, PWD
user server
ID, PWD
Secure Authentication
ID, PWD
user server
ID, PWD
Secure Authentication
ID, PWD
user server
ID, PWD
ID, PWD
Secure Authentication
ID, PWD
user server
ID, PWD
ID, PWD
ID, PWD
Secure Authentication
ID, PWD
user server
ID, π
Multi-party Computation (MPC)
Multi-party Computation (MPC)
x = 0
y = 0
majority(x,y,z)
Anonymous Voting
z = 1
Multi-party Computation (MPC)
x = 0
y = 0
majority(x,y,z)
Secure against semi-honest adversaries
Anonymous Voting
z = 1
Multi-party Computation (MPC)
x = 0
y = 0
majority(x,y,z)
Secure against semi-honest adversaries
Secure against malicious adversaries
Anonymous Voting
z = 1
Multi-party Computation (MPC)
x = 0
y = 0
majority(x,y,z)
Secure against semi-honest adversaries
Secure against malicious adversaries
Anonymous Voting
passive
z = 1
Multi-party Computation (MPC)
x = 0
y = 0
majority(x,y,z)
Secure against semi-honest adversaries
Secure against malicious adversaries
Anonymous Voting
passive
active
z = 1
Cryptocurrency
A pays 1 coin to B
Cryptocurrency
A pays 1 coin to B
Signed A
Cryptocurrency
A pays 1 coin to B
B pays 1 coin to C
Signed A
Cryptocurrency
A pays 1 coin to B
B pays 1 coin to C
Signed A
Signed B
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
Cryptocurrency
A pays 1 coin to B
Signed A
1323498Signed B
Cryptocurrency
A pays 1 coin to B
Signed A
1323498Signed B
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
6751323498
365
Signed B
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
6751323498
365
1323498π
B pays to C Signed B
Signed B
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
6751323498
365
1323498π
B pays to C Signed B
Signed B
∃ that opens one of the locks with serial
number 1323498
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
6751323498
365
1323498π
B pays to C Signed B
Signed B
∃ that opens one of the locks with serial
number 1323498
B C( , 1323498)
Cryptocurrency
A pays 1 coin to B
Signed A
1323498
6751323498
365
1323498π
C pays to D Signed C
Signed B
B C( , 1323498)
1. Zero-Knowledge Proofs
2. Applications
3. Limitations and Variants
Outline
• Length of ZKP: number of bits communicated
• Number of rounds: assuming no setup
• Setup: Common Reference String, Tokens, Correlated Randomness, etc.
• Security Assumptions: One-way functions, Number Theory-based assumptions
Limitations
Variants of Zero-Knowledge Proof
Zero-Knowledge Proof
Completeness: ∀(x,w) ∈ RL, Pr[P(x,w) ↔ V(x) = 1] > 1-ε
Soundness: ∀x ∈ L,∀P*, Pr[P*(x) ↔ V(x) = 1] < ε/
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge
• Zero-Knowledge: View(P(w),V*)(x) ≃ SV*(x)
• Perfect Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃ SV*(x)
• Statistical Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃s SV*(x)
• Computational Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃c SV*(x)
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge
• Zero-Knowledge: View(P(w),V*)(x) ≃ SV*(x)
• Perfect Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃ SV*(x)
• Statistical Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃s SV*(x)
• Computational Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃c SV*(x)
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
statistically close
Zero-Knowledge
• Zero-Knowledge: View(P(w),V*)(x) ≃ SV*(x)
• Perfect Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃ SV*(x)
• Statistical Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃s SV*(x)
• Computational Zero-Knowledge: View(P(x,w) ↔ V*(x)) ≃c SV*(x)
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
computationally indistinguishable
Witness Indistinguishability (WI)
• Zero-Knowledge: View(P(w),V*)(x) ≃ SV*(x)
• Witness Indistinguishable: View(P(x,w1) ↔ V*(x)) ≃c View(P(x,w2) ↔ V*(x))
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Witness Indistinguishability (WI)
• Zero-Knowledge: View(P(w),V*)(x) ≃ SV*(x)
• Witness Indistinguishable: View(P(x,w1) ↔ V*(x)) ≃c View(P(x,w2) ↔ V*(x))
Zero-Knowledge ⇒ Witness Indistinguishable
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Soundness
• Interactive Proof• Soundness: If x not in L, then for any P*,
Pr[<P*,V>(x) = accept] = negl
• Interactive Argument: • Soundness: If x not in L, then for any efficient P*,
Pr[<P*,V>(x) = accept] = negl
Soundness: ∀x ∈ L,∀P*, Pr[P*(x) ↔ V(x) = 1] < ε
Soundness: ∀x ∈ L,∀P*∈PPT, Pr[P*(x) ↔ V(x) = 1] < ε
/
/
Soundness
• Interactive Proof• Soundness: If x not in L, then for any P*,
Pr[<P*,V>(x) = accept] = negl
• Interactive Argument: • Soundness: If x not in L, then for any efficient P*,
Pr[<P*,V>(x) = accept] = negl
Interactive Argument + ZK => Zero-Knowledge Argument
Soundness: ∀x ∈ L,∀P*, Pr[P*(x) ↔ V(x) = 1] < ε
Soundness: ∀x ∈ L,∀P*∈PPT, Pr[P*(x) ↔ V(x) = 1] < ε
/
/
Proof/Argument of Knowledge
• Proof of Knowledge (PoK): there exists an efficient extractor E such that for any P*, if <P*,V>(x) = accept, then Pr[EP*(x) is a witness for x] is close to 1
• Argument of Knowledge (AoK): same but for efficient P*Argument of Knowledge (AoK): ∃E ∈ PPT,∀P* ∈ PPT,
P*(x) ↔ V(x) = 1 ⇒ Pr[EP*(x) = w and (x,w) ∈ RL] > 1-ε
Proof of Knowledge (PoK): ∃E ∈ PPT,∀P*, P*(x) ↔ V(x) = 1 ⇒ Pr[EP*(x) = w and (x,w) ∈ RL] > 1-ε
Black-Box vs Non-Black-Box
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge: ∃S∈ PPT,∀V* ∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Black-Box vs Non-Black-Box
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge: ∃S∈ PPT,∀V* ∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
non-black-box
Black-Box vs Non-Black-Box
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge: ∃S∈ PPT,∀V* ∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
non-black-box
may contain the code of V*
Black-Box vs Non-Black-Box
Zero-Knowledge: ∀V* ∈ PPT,∃SV*∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
Zero-Knowledge: ∃S∈ PPT,∀V* ∈ PPT, View(P(x,w) ↔ V*(x)) ≃ SV*(x)
black-box (oracle) access
Special Cases
• Σ-protocol (3-round with weaker version of argument of knowledge)
• ZAP (2-round resettably-sound resettable witness-indistinguishable proof)
• zkSNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)