Lecture 23: Zero-Knowledge Proofs

Lecture 23: Zero-Knowledge Proofs

Rafael Oliveira

University of WaterlooCheriton School of Computer Science

[email protected]

July 29, 2021

1 / 83

Overview

Why Zero Knowledge?

Zero-Knowledge Proofs

Conclusion

Acknowledgements

2 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files

She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

3 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files

She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

4 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her files

She could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

5 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to Bob

Bob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

6 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)

Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

7 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption key

But then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

8 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!

Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

9 / 83

Cyptography

In cryptography, want to communicate with other people/entitieswhom we may not trust.

Or we may not trust the channel of communication

someone may eavesdrop our messagesmessages could be corruptedsomeone may try to impersonate usit’s a wild world out there

Situation

Alice has all her files encrypted (in public database)Bob requests from her the contents of one of her filesShe could simply send the decrypted file to BobBob has no way of knowing that this message comes from Alice (orthat this is indeed the right file)Alice could prove to Bob this is the correct file by sending herencryption keyBut then Bob has access to her entire database!Can Alice convince Bob that she gave right file without giving anymore knowledge beyond that she gave right file?

10 / 83

Zero-Knowledge Proofs

Proofs in which the verifier gains no knowledge beyond the validity of theassertion.

11 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is Eulerian

Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

12 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is Eulerian

Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

13 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is Eulerian

Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

14 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is Eulerian

Bob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

15 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)

Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

16 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycle

Bob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

17 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

18 / 83

Knowledge vs Information

What do you mean by knowledge?

What does it mean to “learn something/gain knowledge”?

What is difference between knowledge and information?

First question is quite complex, so let’s only talk about the secondand third

Knowledge has to do with your computational ability

If you could have found the answer (i.e. computed it) without help,then you gained no knowledge

Example:

Bob asks Alice whether a graph G is EulerianBob gains no knowledge in this interaction, since he could havecomputed it by himself (By Euler’s theorem: check that all verticeshave even degree)Bob asks Alice if graph G has Hamiltonian cycleBob now gains knowledge (P 6= NP ⇒ Bob could not compute it)

In both cases Alice conveyed information!

19 / 83

Knowledge vs Information

Knowledge:

related to computational difficultyabout publicly known objects

One gains knowledge when one obtains something one could notcompute before!

Information:

unrelated to computational difficultyabout partially known objects

One gains information when one obtains something one could notaccess before!

20 / 83

Knowledge vs Information

Knowledge:

related to computational difficultyabout publicly known objects

One gains knowledge when one obtains something one could notcompute before!

Information:

unrelated to computational difficultyabout partially known objects

One gains information when one obtains something one could notaccess before!

21 / 83

Classical Proofs

Our usual notion of proof:

A claim C is given

A prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

22 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correct

Prover P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

23 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier V

Verifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

24 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof

Verifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

25 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

26 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

27 / 83

Classical Proofs

Our usual notion of proof:

A claim C is givenA prover P writes down a proof that C is correctProver P sends this proof to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproofVerifier accepts or rejects based on these rules

One-way communication (or, in other words, very little interaction!)

Verifier does not trust prover. Otherwise no need to verify proof!

28 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is given

A prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

29 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ L

Prover P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

30 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier V

Verifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

31 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)

Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

32 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

33 / 83

Example: NP (Efficient Verifiable Proofs)

Setup:

A claim C := x ∈ L is givenA prover P writes down a proof (witness) w that x ∈ LProver P sends w to a verifier VVerifier has procedure (axioms and derivation rules) to check validity ofproof (deterministic, polynomial time algorithm)Verifier accepts iff V (x ,w) = 1

In this setting, verifier learns the proof!

34 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is given

A prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

35 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · q

Prover P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

36 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier V

Verifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

37 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)

Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

38 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

39 / 83

Example: Factoring

Setup:

A claim C := N is a product of two primes is givenA prover P writes down a proof: two primes p, q that N = p · qProver P sends (p, q) to a verifier VVerifier computes p · q and checks that p, q are prime.Checking validity of proof (deterministic, polynomial time algorithm)Verifier accepts iff p, q prime, and N = pq

In this setting, verifier learns the proof (in this case factorization)!

40 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphic

A prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

41 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

42 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier V

Verifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

43 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)

Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

44 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

45 / 83

Example: Graph Isomorphism

Setup:

A claim C := graphs G0,G1 are isomorphicA prover P writes down an isomorphism ρ such that ρ(G0) = G1

Prover P sends ρ to a verifier VVerifier checks that ρ is a permutation of vertices, and thatρ(G0) = G1 (deterministic, polynomial time algorithm)Verifier accepts iff the above is correct.

In this setting, verifier learns the isomorphism (i.e., the proof)!

46 / 83

Can we convince people differently?

Yes! But we need to modify the way proofs are checked.

Make proofs interactive, instead of only one-wayVerifier is allowed private randomness

In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:

Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.

47 / 83

Can we convince people differently?

Yes! But we need to modify the way proofs are checked.

Make proofs interactive, instead of only one-way

Verifier is allowed private randomness

In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:

Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.

48 / 83

Can we convince people differently?

Yes! But we need to modify the way proofs are checked.

Make proofs interactive, instead of only one-wayVerifier is allowed private randomness

In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:

Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.

49 / 83

Can we convince people differently?

Yes! But we need to modify the way proofs are checked.

Make proofs interactive, instead of only one-wayVerifier is allowed private randomness

In the end, we will see a (zero-knowledge) proof for graphisomorphism as follows:

Alice: I will not give you an isomorphism, but I will prove that I couldgive you one, if I wanted to.

50 / 83

Why Zero Knowledge?

Zero-Knowledge Proofs

Conclusion

Acknowledgements

51 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphic

A prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

52 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

53 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

54 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!

Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

55 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}

Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

56 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρb

Verifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

57 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

58 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

59 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2

Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

60 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

61 / 83

Example: Graph IsomorphismSetup:

A claim C := graphs G0,G1 are isomorphicA prover P produces a random graph H for which:

It can give isomorphism ρ0 from G0 to HIt can give isomorphism ρ1 from G1 to H

Above possible iff G0 and G1 isomorphic!Verifier picks random bit b ∈ {0, 1}Prover gives isomorphism ρbVerifier checks that ρb(H) = Gb

Note that verifier will not learn isomorphism between G0 and G1!

Note that:

Claim is true ⇒ prover can always give isomorphism!Claim is false ⇒ can catch bad proof with probability = 1/2Can amplify probability of catching bad proof by repeating protocolabove!

How can we model the fact that verifier does not gain knowledge?!

Simulation!

62 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

63 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

64 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

65 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

66 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

67 / 83

Simulation of Protocol

Key idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The verifier (privately) produces a random permutation ρ and a bit band outputs H = ρ(Gb).

Verifier then picks bit b from previous step

Verifier gives isomorphism ρ−1

Verifier checks that ρ−1(H) = Gb

Simulation ⇒ V gained no new information!

68 / 83

Perfect Zero Knowledge Proof

Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)

Definition (Perfect Zero Knowledge)

A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:

〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x

M∗(x), that is, output of algorithm M∗ (simulation) on input x

The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗

69 / 83

Perfect Zero Knowledge Proof

Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)

Definition (Perfect Zero Knowledge)

A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:

〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x

M∗(x), that is, output of algorithm M∗ (simulation) on input x

The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗

70 / 83

Perfect Zero Knowledge Proof

Note that we usually talked about not trusting provers so far, but forZero-Knowledge, we will not trust verifiers (as they may try to obtaininformation about the proof!)

Definition (Perfect Zero Knowledge)

A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following random variables are identicallydistributed:

〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input x

M∗(x), that is, output of algorithm M∗ (simulation) on input x

The above captures the idea that V ∗ is not gaining any extracomputational power by interacting with P, since same output couldhave been generated by M∗

71 / 83

Perfect Zero Knowledge Proof2

Previous definition is a bit too strict to be useful, so we relax it.1

We will allow simulator to fail with small probability (denoted byoutputting ⊥)

Definition (Perfect Zero Knowledge)

A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following holds:

1 With probability ≤ 1/2, M∗(x) = ⊥2 Conditioned on M∗(x) 6= ⊥, the following variables are identially

distributed:

〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input xM∗(x), that is, output of algorithm M∗ (simulation) on input x

1Very common phenomenon in crypto, that statistical indistinguishability too strict.2For applications in cryptography, one can even relax this definition further, to

include computational zero-knowledge72 / 83

Perfect Zero Knowledge Proof2

Previous definition is a bit too strict to be useful, so we relax it.1

We will allow simulator to fail with small probability (denoted byoutputting ⊥)

Definition (Perfect Zero Knowledge)

A prover P is perfect zero-knowledge for language L if for everypolynomial time, randomized verifier V ∗, there is a randomized algorithmM∗ such that for every x ∈ L the following holds:

1 With probability ≤ 1/2, M∗(x) = ⊥2 Conditioned on M∗(x) 6= ⊥, the following variables are identially

distributed:

〈P,V ∗〉(x), that is, output of interaction between prover P andverifier V ∗ on input xM∗(x), that is, output of algorithm M∗ (simulation) on input x

1Very common phenomenon in crypto, that statistical indistinguishability too strict.2For applications in cryptography, one can even relax this definition further, to

include computational zero-knowledge73 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

74 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

75 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

76 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥

Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

77 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

78 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

79 / 83

Simulation of ProtocolKey idea: if claim is indeed true, then verifier’s view of proof couldhave been simulated by the verifier alone!

Simulated protocol:

The simulator produces a random permutation ρ and outputsH = ρ(G0).

Simulator then picks random bit b

If b 6= 0 then output ⊥Otherwise simulator gives isomorphism ρ−1

Simulator checks that ρ−1(H) = G0

Simulation ⇒ perfect zero knowledge for our prover P!

Note that whenever we don’t fail, we output same distribution as theoriginal protocol!

80 / 83

Conclusion

We saw today how the power of interaction can be used to verifyvalidity of “proofs” without conveying information about it

Has applications in

Modern cryptographyCredit CardsPasswordsComplexity Theory (can use zero-knowledge to construct complexityclasses)Used in cryptocurrencies (validate transactions without giving detailsabout transactions)

81 / 83

Conclusion

We saw today how the power of interaction can be used to verifyvalidity of “proofs” without conveying information about it

Has applications in

Modern cryptographyCredit CardsPasswordsComplexity Theory (can use zero-knowledge to construct complexityclasses)Used in cryptocurrencies (validate transactions without giving detailsabout transactions)

82 / 83

Acknowledgement

Lecture based largely on:

Oded Goldreich’s Foundations of Cryptography book, Chapter 6Berkeley & MIT’s 6.875 Lecture 14

https://inst.eecs.berkeley.edu/~cs276/fa20/slides/lec14.pdf

83 / 83