Introduction and History of ZKP

Date: 2024-08-25 03:05:06

Reviewed:

Topic / Chapter: Introduction and History of ZKP

summary

❓Questions

Notes

Introduction

classical proofs: Gauss, Euclid, Turing…
- e.g. Prime number proof
ours: interactive proof
- w/ prover & verifier, as “algorithms”
“efficiently” verifiable proofs
- aka “NP-proofs”
- msg {prover → verifier} is short
  - of polynomial size in length
    - time taken to proof: not considered
  - $∣ w ∣ = O (p (∣ x ∣))$
- and verifiable in a polynomial time
  - $O (p (∣ x ∣))$
  - i.e. time to compute $V (x, w) == 1$
example claim: $N = p * q$
- $p, q$ : large prime
- proof 1: provides value of $p, q$
  - after interaction, $V$ knows:
    - $N = p * q$
    - value of $p, q$ // revealed!
example claim 2: $\exists x \in Z_{N}^{*} s . t . y = x^{2} mod N$
- $y$ : quadratic residue $mod N$
- 👨‍🏫finding such number: hard
- proof 1: can simply provide $x$
  - verifier: compute $y == x^{2} mod N$
  - after interaction, $V$ knows:
    - $y == x^{2} mod N$
    - value of $y$
example claim 3: two graphs are isomorphic
- proof: $π : [N] \to [N]$
- verification 1: $\forall i, j : (π (i), π (j)) \in E_{1}$
  - iff $(i, j) \in E_{0}$
  - such verification: hard
  - after interaction, V knows:
    - $G_{0}$ being isomorphic to $G_{1}$
    - isomorphism $π$
general form
- language $L :=$ set of strings $x$
- NP language: $L$ s.t. in $p (∣ x ∣)$ time some verifier can show:
  - completeness: true claims have short proofs
    - if $x \in L$ : $\exists p (∣ x ∣)$ -long witness $w \in {0, 1}^{*} s . t . V (x, w) = 1$
    - allows “honest provers” to convince $V$
  - soundness: false theorems have no proofs
    - if $x \neq \in L$ : $\forall w \in {0, 1}^{*}, V (x, w) = 0$
    - unable to convince wrong claim
can we prove something without revealing information?
- yes!
- rather proves: “prove that I could prove it if I felt like it”
- and $V$ : knows nothing more than that claim is right

Paradigm shift

interactive and probabilistic proofs
- interaction: verifier engages in an interaction w/ the prover
  - 👨‍🏫could be mostly removed later
- randomness: verifier is randomized
  - and tolerant to accept potential error w/ small probability
  - e.g. smaller than Avogadro’s number
Again, the idea:
- only transfers the claim (as knowledge)
- e.g. page w/ 2 colors
  - flips the page “probabilistically” (e.g. flip if coin’s on head)
  - V: sends the page
  - P: interpret the event happened
    - e.g. the coin was on head
- accepts the proof if it is right repeatedly
  - $\forall$ provers $P (V = 1) \leq 1/2$
    - $P (V = 1)$ : probability of accepting wrongly
  - if repeat $k$ times:
    - $P (V = 1) \leq 1/ 2^{k}$
example: quadratic residue
- proof of existence of a pair
- prover: choose random $r$ s.t. $1 \leq r \leq N$
  - s.t. $g cd (r, N) = 1$
- sends $s := r^{2}$
- after, by providing $s$ and $sy mod N$ , claim can be proven
  - however: from $s$ and $sy$ , $y mod N$ can be computed
  - which are $r, r x, x$ respectively
  - but: reveal of both are undesirable
- to convince: must be able to answer ANY ONE of two (but not answering both)
  - verifier: chooses randomly
- verifier: accepts only when the prover’s submission $z$ is what he asked
  - technically: when submission’s “square” is what he asked for
  - if $z^{2} == s$ and he wanted that: yes
    - $z = r$
  - or: if $z^{2} == sy$ and he wanted that: yes
    - $z = r y mod N$
- all prover need to know: value of $x = y$
- repeat: 100 times
idea: many possible proofs are available
- prover: chooses one at random
proof: made up of 2 parts
- which, is only meaningful if both are available

More

formal definition
- $(P, V)$ is an interactive proof for $L$ , if $V$ is probabilistic $p (∣ x ∣)$ time &
- completeness: $x \in L$ : $V$ always accepts
  - notation:
  - $x \in L \Rightarrow P r [(P, V) (x) = accept] = 1$
- soundness: if $x \neq \in L$ , for all cheating prover strategy, $V$ will not accept except for negligible probability
  - $x \neq \in L \Rightarrow \forall P^{*}, P r [(P^{*}, V) (x) = accept] = n e g l (∣ x ∣)$
    - $P^{*}$ : cheating prober
  - $n e g l (λ) < \frac{1}{p ( λ )}$ for all polynomials
    - growing very slowly (exponentially)
for homework: just make sure:
- $x \in L \Rightarrow P r [(P, V) (x) = accept] \geq c$
- $x \neq \in L \Rightarrow \forall P^{,} P r [(P^{,} V) (x) = accept] \leq s$
- and show: $c - s \leq 1/ p (∣ x ∣)$
  - (actually equivalent)
Classes
- class of languages $I P$ : all $L$ w/ interactive proof
  - w/ verifier being in probabilistic polynomial time

what is zero knowledge?

true statement: verifier cannot compute anything new
- for even malicious verifier
after interaction, V learned:
- theorem $T$ being true, or $x \in L$
- a view of interaction
  - i.e. transcript & coins V tossed
- $view_{v} (P, V) [s] := {(q_{1}, a_{1}, \dots, coin_{V})}$
  - probability distribution over coins of V and P
the view gives V nothing new if:
- V could have simulated it its own
  - w/ probabilistic distribution
- and two views are “computationally-indistinguishable”
  - i.e. undistinguishable by external, poly-time distinguisher
  - or: can’t tell if V is lying
- (aka simulation paradigm)
computationally-indistinguishability
- if no distinguisher can tell apart two probability distributions
- or: $P [D = 1] < 1/2 + n e g l (k)$
zero knowledge definition:
- for IP $(P, V)$ for $L$ , exists a PPT algorithm simulator $S im$ s.t.
  - $S im$ : “may (very unluckily)” not run in polynomial time
    - “expected” polynomial time
- $\forall x \in L$ (when it’s true), following two are poly-time indistinguishable
  - $view_{V} (P, V) [x] = (q_{1}, a_{1}, \dots coin_{V})$
  - $S im (x, 1^{λ})$
    - $1^{λ}$ : technicality
    - only effective for small $x$
- $(P, V)$ : a ZK-IP if it is complete, sound, and zero-knowledge
  - for any $V$ , even dishonest ones
final def:
- IP is ZK for $L$ if $\forall$ PPT $V^{*}$ , $\exists$ PPT $S im$ s.t., $\forall x \in L$
  - $view_{V} (P, V) [x] ≃ S im (x, 1^{λ})$
Different types of ZK
- CZK: computationally indistinguishable distribution
- PZK: perfectly identical distributions
- SZK: statistically close distribution

example w/ QR

example w/ QR
- (honest verifier) PZK
- simulator: picks random bit $b$
- pick a random $z \in Z_{N}^{*}$
- compute $s = z^{2} / y^{b}$
- output (view): $(s, b, z)$
honest: checks $z^{2} = s y^{b} mod N$
- key: not releasing $s$ initially
dishonest verifier
- compute $b$ based on complex process $f (s)$
- yet: the view would be the same as simulator.
simulator for baddie
- pick a random bit $b$
- pick a random $z \in Z_{N}^{*}$
- compute $s = z^{2} / y^{b}$
- RUNS BAD Verifier (both are poly-time)
  - if $V^{*} (N, y, s) = b$
    - if $b$ was to be asked:
    - output (view): $(s, b, z)$
  - else: repeat the whole process (50/50)

POK

prover: actually also proved
- “I can solve it (but won’t do it for you)”
- “knowledge”: can also be defined
- consider $L_{R} = {x : \exists w s . t . R (x, w) = 1}$ for poly-time relation $R$
- if the knowledge can be gained by running program w/ multiple inputs:
  - the algorithm has “knowledge”
$(P, V) :=$ proof of knowledge (POK) for $L_{R}$
- if $\exists$ PPT extractor algorithm $E$ s.t. $\forall x \in L$ , PPT $E^{P} (x)$ outputs $w$ s.t. $V (x, w) = 1$
- $E^{P} (X)$ : may run $P$ repeatedly on the same randomness
  - but may also run different questions each executions
  - aka: rewinding technique
    - as: one can “rewind” the algorithm to start from the same point
ZKPOK on QR
- on input $(y, N)$
- run prover & receive $s$
- set verifier message to head (1), store $r$
- rewind (to $s$ value), and runs tail
  - gets $r x$
- output: $r x / r = x mod N$
ZKPOK on graph isomorphism
- produce random graph $H$ s.t. either one is available
  - isomorphism $γ_{0}$ from $G_{0}$ to $H$
  - isomorphism $γ_{1}$ from $G_{1}$ to $H$
- thus, $\exists$ isomorphism $σ$ from $G_{0} \to G_{1}$
- verifier: randomly choose between two isomorphism
- proof:
  - $H = γ_{0} (G_{0})$
  - $H = γ_{1} (G_{1})$
  - $G_{1} = γ_{1}^{- 1} (γ_{0} (G_{0}))$
  - set $σ = γ_{1}^{- 1} γ_{0}$
- claim:
  - statement true: can correctly answer for either
  - false: P(mistake)≥1/2
    - and make it 1-1/2^k by repetition
  - prove that it is a perfect ZK
- ZKPOK
  - store $γ_{0}$
  - rewind & get $γ_{1}$
  - then output: $γ_{1}^{- 1} (γ_{0})$
first application: identity theft
- Alice: wants to prove her identity over the net (insecure)
  - to Bob: or Amazon
- password shouldn’t be stored: even as a an encryption
solution: let’s say: password = hard theorem
- one who knows the answer: Alice
  - ~= one who can pick up Excalibur: the Brave
- but Alice’s proof: must be ZKP
do all NP languages have ZK-IP?
- Yes
- if one-way functions exist, every L in NP has computational ZK-IP
- idea:
  - show an NP-complete problem has a ZK-IP
    - if a language is NP-complete: every string s can be reduced to a graph
  - one way function → hiding & binding bit commitment protocol
Properties of bit commitment scheme
- hiding: the view (of $b, b^{'}$ ) is computationally indistinguishable
  - key: must be randomized in order to keep it secure
- binding: probability of accepting different values are negligible

G3-colorable theorem

common input graph: $G = (V, E)$
- prover input coloring $π : V \to {0, 1, 2}$
procedure
1. prover: pic random permutation $σ$ on colors and apply it on graph
  1. $ϕ (v) = σ (π (v))$
  2. and commit $ϕ (v)$ for each $v$
  3. permutation: prevents accumulation of knowledge
2. verifier: select a random edge $e = (a, b)$ , and send it to prover
3. prover: decommit colors $ϕ (a), ϕ (b)$
4. decision: rejects if $ϕ (a) = ϕ (b)$
  1. and accepts after $k$ iterations
ZK testing
- completeness
  - honest prover: can always prove it & accepted
- soundness
  - if $G$ is not 3-colorable, then $\forall P^{*}$ $P r [accept] < (1 - 1/∣ E ∣)^{k} < 1/ e^{∣ E ∣}$
  - for $k = ∣ E ∣^{2}$
- zk-ness
  - easy to see informally
  - messy to prove formally
honest verifier computational ZK
- choose challenge at random in advance
  - $(a, b)$ for honest $V$
- choose random edge $(a, b)$ in $G$
- choose colors $ϕ_{a}, ϕ_{b}$ in ${0, 1, 2}$ s.t. $ϕ_{a} \neq = ϕ_{b}$ at random
  - and for all other $v \neq = a, b$ , set $ϕ_{v} = 2$
- simulated-view: commitments to edges
  - and decommitting the challenge $ϕ_{a}, ϕ_{b}$
- however: all except the challenge: the same color
  - although computationally indistinguishable
simulation for any verifier
- simulator $S$ on input $G$ and verifier $V^{*}$ for $i = 1, \dots, ∣ E ∣^{2}$
- choose random edge $(a, b)$
- generate commitments $co m$ to colors as in honest simulation
- run $V^{*}$ on $co m$ to obtain challenge $(a^{*}, b^{*})$
- $(a^{*}, b^{*}) = (a, b)$ ⇒ then output simulation as honest case
- if “all” iterations fail: output $⊥$
now: we haze many CZK examples as NP-languages

Protocol design applications

can prover properties on $m$ without revealing $m$
- only $E (m)$ of $h (m)$
- as well as on relationship
generally: a tool to enforce honest behavior in protocols w/o revealing any information
idea: protocol players sends along w/ each next-msg, a ZK proof that *next-msg* = Protocol(history h, randomness r) on history h & c=commit(r)
- possible since $L = {\exists r$ s.t. *next-msg* = Protocol(h,r) & c=commit(r) $}$ in NP
used in
- preventing identity theft
- computation delegation
- ??? nuclear disarmament, forensics
- ⭐Zcash: Bit Coin w/ privacy and anonymity
- ZK and verification dilemmas in the law
interactive proof: also used in complexity theory
- can we do something in IP that traditional proof can’t?
  - 🧑‍🏫 yes
- classical verification on proving non-isomorphic
  - e.g. checking edge-by-edge
  - takes $n!$ time → efficient verification is impossible
in IP
- input: $G_{0}, G_{1}$
- V: flip coin $c \in {0, 1}$ , pick random $γ$
  - $H = γ (G_{c})$
- P: if $H$ is isomorphic to $G_{0}$ : then $b = 0$ , else 1
- V: reject if $b \neq = c$
  - accept after $k$ repetitions
  - $V$ : learns whether graph $H$ of his choice is isomorphic to $G_{0}$ or $G_{1}$
    - to fix: V must prove to P in ZK that he knows isomorphism $γ$
- however: it’s not zero-knowledge for any $V^{*}$ (unless it’s honest)
Fiat-Shamir: removal of interaction?
- given ideal hash $h$
- $a_{1}, r, a_{2} \to V (x, a_{1}, r, a_{2})$
- can be replaced by $V (x, a_{1}, h (a_{1}), a_{2})$

Highlights

before IP: notion of proof was NP
NP verification: sending solution ( $\exists$ solution)
Co-NP verification: impossible (0 solutions)
number of solutions for a statement
- cannot be verified
PSPACE: not known
- i.e. alternation of quantifier
w/ IP: all can be done!
- PSPACE = IP
arriver of the second prover: MIP (2020)
- can get unconditional ZK for all NP
- lead to PCP theorem
- and combined w/ quantum computing: and.. smth crazy

Zero Knowledge Proof MOOC

Introduction and History of ZKP

Date: 2024-08-25 03:05:06

Reviewed:

Topic / Chapter: Introduction and History of ZKP

Notes