Crytography Zero Knowledge Proof Application, Lecture Notes - Computer Science, Study notes of Cryptography and System Security

Prof. Salil Vadhan, Prof. Alon Rosen, Computer Science, Cryptography, Zero-Knowledge Proofs, Compiling Protocols to Handle Malicious Adversaries, Harvard, Lecture Notes

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/ E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Dec. 14, 2006
Lecture Notes 21:
Zero-Knowledge Proofs II
Recommended Reading.
Vadhan, Interactive & Zero-Knowledge Proofs, from IAS/PCMI Summer School on Compu-
tational Complexity, Secs 1.1, 1.2, 2.1, 2.2.
Goldreich, Chapter 4 (up to 4.4)
1 Zero Knowledge for NP
An NP-complete problem: Graph 3-Coloring.
An (undirected) graph G= (W, E) is 3-colorable if there is a function C:W {R, Y, B}
such that for all (u, v)E,C(u)6=C(v).
3COL ={G:Gis 3-colorable}.
For every LNP, there is a poly-time fsuch that xLf(x)3COL.
Moreover, given any NP proof system for L, we can choose fsuch that valid NP proofs for
xLcan be mapped in poly-time to valid 3-colorings of f(x).
Cut and Choose:
G3COL C³V(u,v)EC(u)6=C(v)´.
If we randomly permute the 3 colors, each pair (C(u), C(v)) for u6=vreveals no information.
Have prover ‘commit’ to randomized coloring C, verifier pick a random edge.
Physical Zero-Knowledge Proof: See video.
1
pf3

Partial preview of the text

Download Crytography Zero Knowledge Proof Application, Lecture Notes - Computer Science and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 14, 2006

Lecture Notes 21:

Zero-Knowledge Proofs II

Recommended Reading.

  • Vadhan, Interactive & Zero-Knowledge Proofs, from IAS/PCMI Summer School on Compu- tational Complexity, Secs 1.1, 1.2, 2.1, 2.2.
  • Goldreich, Chapter 4 (up to 4.4)

1 Zero Knowledge for NP

An NP-complete problem: Graph 3-Coloring.

  • An (undirected) graph G = (W, E) is 3-colorable if there is a function C : W → {R, Y, B} such that for all (u, v) ∈ E, C(u) 6 = C(v).
  • 3COL = {G : G is 3-colorable}.
  • For every L ∈ NP, there is a poly-time f such that x ∈ L ⇔ f (x) ∈ 3COL.
  • Moreover, given any NP proof system for L, we can choose f such that valid NP proofs for x ∈ L can be mapped in poly-time to valid 3-colorings of f (x).

Cut and Choose:

  • G ∈ 3COL ⇔ ∃C

(u,v)∈E C(u)^6 =^ C(v)

  • If we randomly permute the 3 colors, each pair (C(u), C(v)) for u 6 = v reveals no information.
  • Have prover ‘commit’ to randomized coloring C, verifier pick a random edge.

Physical Zero-Knowledge Proof: See video.

Definition 1 A commitment scheme over message space P = ⋃ n Pn is a polynomial-time com- putable function Com(m, k) satisfying:

  • (Hiding) For every m, m′^ ∈ Pn such that ‖m‖ = ‖m′‖, Com(m, K) ≡c Com(m′, K), when K ← {R 0 , 1 }n.
  • (Binding) There do not exist m 6 = m′^ and k, k′^ such that Com(m, k) = Com(m, k′).

Zero-Knowledge Proof for Graph 3-Coloring

Common input: A graph G = (W, E) on n vertices. Prover’s input: A valid 3-coloring C : W → {R, Y, B} (in case G ∈ 3COL)

  1. P : Choose a permutation π : {R, Y, B} → {R, Y, B} uniformly at random, and set C′^ = π ◦C. For every vertex w ∈ W , choose kw ← {R 0 , 1 }n^ and send zw = Com(C′(w), kw) to V.
  2. V : Choose an edge (u, v) ←R E, and send (u, v) to P.
  3. P : Check that (u, v) ∈ E, and if so send C′(u), C′(v), ku, kv to V.
  4. V : Accept if C′(u) 6 = C′(v), zu = Com(C′(u), ku) and zv = Com(C′(v), kv).

Theorem 2 Above is a zero-knowledge proof for Graph 3-Coloring.

Proof:

  • Perfect completeness.
  • Soundness error 1 − 1 /|E|. Reduce by repetition.

Simulator SV^ ∗ , on input G = (W, E):

  1. Select (u, v) ←R E.
  2. Define a coloring C′^ by setting (C′(u), C′(v)) to be two random distinct colors in {R, Y, B}, and setting C′(w) = R for all other vertices w.
  3. For every w ∈ W , choose kw ← {R 0 , 1 }n, and set zw = Com(C′(w), kw).
  4. Select random coin tosses r for V ∗, and let (u∗, v∗) = V ∗(G, {zw}w∈W ; r).
  5. If (u∗, v∗) 6 = (u, v), output fail. Otherwise, output ({zw}w∈W , (u, v), (ku, kv, C′(u), C′(v)); r).

Claim 3 For every PPT V ∗^ and G ∈ 3COL, we have

  1. SV^ ∗ (G) succeeds with probability at least 1 /|E| − neg(n), and