Zero Knowledge Proofs and Their Applications, Lecture notes of Mathematics

The concept of zero knowledge proofs and their applications in various fields, including nuclear disarmament. It explains how zero knowledge proofs can fully convince that a statement is true without yielding any additional knowledge. The document also provides examples of interactive proof systems and hypothesis testing. It is a useful resource for students studying cryptography and related fields.

Typology: Lecture notes

2020/2021

Available from 07/13/2023

tandhi-wahyono
tandhi-wahyono 🇮🇩

5

(15)

774 documents

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1In case you are curious, the factors of 𝑚are
1,172,192,558,529,627,184,841,954,822,099
and 328,963,108,995,562,790,517,498,071,717.
13
Zero knowledge proofs
The notion of proof is central to so many fields. In mathematics, we
want to prove that a certain assertion is correct. In other sciences, we
often want to accumulate a preponderance of evidence (or statistical
significance) to reject certain hypotheses. In criminal law the prose-
cution famously needs to prove its case “beyond a reasonable doubt”.
Cryptography turns out to give some new twists on this ancient no-
tion.
Typically a proof that some assertion X is true, also reveals
some information about why X is true. When Hercule Poirot
proves that Norman Gale killed Madame Giselle he does so by
showing how Gale committed the murder by dressing up as a flight
attendant and stabbing Madame Gisselle with a poisoned dart.
Could Hercule convince us beyond a reasonable doubt that Gale
did the crime without giving any information on how the crime
was committed? Can the Russians prove to the U.S. that a sealed
box contains an authentic nuclear warhead without revealing
anything about its design? Can I prove to you that the number 𝑚=
385,608,108,395,369,363,400,501,273,594,475,104,405,448,848,047,062,278,473,983
has a prime factor whose last digit is 7without giving you any infor-
mation about 𝑚’s prime factors? We won’t answer the first question,
but will show some insights on the latter two.1
Zero knowledge proofs are proofs that fully convince that a statement
is true without yielding any additional knowledge. So, after seeing a zero
knowledge proof that 𝑚has a factor ending with 7, you’ll be no closer
to knowing 𝑚’s factorization than you were before. Zero knowledge
proofs were invented by Goldwasser, Micali and Rackoff in 1982 and
have since been used in great many settings. How would you achieve
such a thing, or even define it? And why on earth would it be useful?
This is the topic of this lecture.
Compiled on 11.17.2021 22:35
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Zero Knowledge Proofs and Their Applications and more Lecture notes Mathematics in PDF only on Docsity!

(^1) In case you are curious, the factors of 𝑚 are 1, 172, 192, 558, 529, 627, 184, 841, 954, 822, 099 and 328, 963, 108, 995, 562, 790, 517, 498, 071, 717.

Zero knowledge proofs

The notion of proof is central to so many fields. In mathematics, we want to prove that a certain assertion is correct. In other sciences, we often want to accumulate a preponderance of evidence (or statistical significance) to reject certain hypotheses. In criminal law the prose- cution famously needs to prove its case “beyond a reasonable doubt”. Cryptography turns out to give some new twists on this ancient no- tion. Typically a proof that some assertion X is true, also reveals some information about why X is true. When Hercule Poirot proves that Norman Gale killed Madame Giselle he does so by showing how Gale committed the murder by dressing up as a flight attendant and stabbing Madame Gisselle with a poisoned dart. Could Hercule convince us beyond a reasonable doubt that Gale did the crime without giving any information on how the crime was committed? Can the Russians prove to the U.S. that a sealed box contains an authentic nuclear warhead without revealing anything about its design? Can I prove to you that the number 𝑚 = 385, 608, 108, 395, 369, 363, 400, 501, 273, 594, 475, 104, 405, 448, 848, 047,062, 278, 473, 983 has a prime factor whose last digit is 7 without giving you any infor- mation about 𝑚’s prime factors? We won’t answer the first question, but will show some insights on the latter two.^1 Zero knowledge proofs are proofs that fully convince that a statement is true without yielding any additional knowledge. So, after seeing a zero knowledge proof that 𝑚 has a factor ending with 7 , you’ll be no closer to knowing 𝑚’s factorization than you were before. Zero knowledge proofs were invented by Goldwasser, Micali and Rackoff in 1982 and have since been used in great many settings. How would you achieve such a thing, or even define it? And why on earth would it be useful? This is the topic of this lecture.

Compiled on 11.17.2021 22:

272 an intensive introduction to cryptography

(^2) To be fair, “only” about 170 million Americans live in the 50 largest metropolitan areas and so arguably many people will survive at least the initial impact of a nuclear war, though it had been estimated that even a “small” nuclear war involving detonation of 100 not too large warheads could have devastating global consequences.

P This chapter will rely on the notion of NP complete- ness , as well as the view of NP as proof systems. For a review of this notion, please see this chapter of my introduction to TCS text.

13.1 APPLICATIONS FOR ZERO KNOWLEDGE PROOFS.

Before we talk about how to achieve zero knowledge, let us discuss some of its potential applications:

13.1.1 Nuclear disarmament The United States and Russia have reached a dangerous and expensive equilibrium where each has about 7000 nuclear warheads, much more than is needed to decimate each others’ population (and the popu- lation of much of the rest of the world).^2 Having so many weapons increases the chance of “leakage” of weapons, or of an accidental launch (which can result in an all out war) through fault in com- munications or rogue commanders. This also threatens the delicate balance of the Non-Proliferation Treaty which at its core is a bargain where non-weapons states agree not to pursue nuclear weapons and the five nuclear weapon states agree to make progress on nuclear dis- armament. These huge quantities of nuclear weapons are not only dangerous, as they increase the chance of a leak or of an individual failure or rogue commander causing a world catastrophe, but also extremely expensive to maintain. For all of these reasons, in 2009, U.S. President Obama called to set as a long term goal a “world without nuclear weapons” and in 2012 spoke concretely about talking to Russia about reducing “not only our strategic nuclear warheads, but also tactical weapons and war- heads in reserve”. On the other side, Russian President Putin has said already in 2000 that he sees “no obstacles that could hamper future deep cuts of strategic offensive armaments”. (Though as of 2018, po- litical winds on both sides have shifted away from disarmament and more toward armament.) There are many reasons why progress on nuclear disarmament has been so slow, and most of them have nothing to do with zero knowl- edge or any other piece of technology. But there are some technical hurdles as well. One of those hurdles is that for the U.S. and Russia to go beyond restricting the number of deployed weapons to significantly reducing the stockpiles , they need to find a way for one country to ver- ifiably prove that it has dismantled warheads. As mentioned in my work with Glaser and Goldston (see also this page), a key stumbling block is that the design of a nuclear warhead is of course highly clas-

274 an intensive introduction to cryptography

(^4) Integers can be coded as sets in various ways. For example, one can encode 0 as ∅ and if 𝑁 is the set encoding 𝑛, we can encode 𝑛 + 1 using the 𝑛 + 1- element set {𝑁} ∪ 𝑁.

13.2 DEFINING AND CONSTRUCTING ZERO KNOWLEDGE PROOFS

So, zero knowledge proofs are wonderful objects, but how do we get them? In fact, we haven’t answered the even more basic question of how do we define zero knowledge? We have to start by the most basic task of defining what we mean by a proof. A proof system can be thought of as an algorithm 𝑉 (for “verifier”) that takes as input a statement which is some string 𝑥 and another string 𝜋 known as the proof and outputs 1 if and only if 𝜋 is a valid proof that the statement 𝑥 is correct. For example:

  • In Euclidean geometry , statements are geometric facts such as “in any triangle the degrees sum to 180 degrees” and the proofs are step by step derivations of the statements from the five basic postulates.
  • In Zermelo-Fraenkel + Axiom of Choice (ZFC) a statement is some purported fact about sets (e.g., the Riemann Hypothesis^4 ), and a proof is a step by step derivation of it from the axioms.
  • We can define many other “theories”. For example, a theory where the statements are pairs (𝑥, 𝑚) such that 𝑥 is a quadratic residue modulo 𝑚 and a proof for 𝑥 is the number 𝑠 such that 𝑥 = 𝑠^2 (mod 𝑚), or a theory where the theorems are Hamiltonian graphs 𝐺 (graphs on 𝑛 vertices that contain an 𝑛-long cycle) and the proofs are the description of the cycle.

All these proof systems have the property that the verifying algo- rithm 𝑉 is efficient. Indeed, that’s the whole point of a proof 𝜋- it’s a sequence of symbols that makes it easy to verify that the statement is true. To achieve the notion of zero knowledge proofs, Goldwasser and Micali had to consider a generalization of proofs from static sequences of symbols to interactive probabilistic protocols between a prover and a verifier. Let’s start with an informal example. The vast majority of humans have three types of cone cells in their eyes. The reason why we perceive the sky as blue (see also this), despite its color being quite a different spectrum than the blue of the rainbow, is that the projection of the sky’s color to our cones is closest to the projection of blue. It has been suggested that a tiny fraction of the human population might have four functioning cones (in fact, only women, as it would require two X chromosomes and a certain mutation). How would a person prove to another that she is a in fact such a tetrachromat?

Proof of tetrachromacy: Suppose that Alice is a tetrachromat and can dis- tinguish between the colors of two pieces of plastic that would be identical to a trichromat. She wants to

zero knowledge proofs 275

prove to a trichromat Bob that the two pieces are not identical. She can do this as follows: Alice and Bob will repeat the following experi- ment 𝑛 times: Alice turns her back and Bob tosses a coin and with probability 1/2 leaves the pieces as they are, and with probability 1/2 switches the right piece with the left piece. Alice needs to guess whether Bob switched the pieces or not. If Alice is successful in all of the 𝑛 repetitions then Bob will have 1 − 2−𝑛^ confidence that the pieces are truly different.

A similar “proof” inspired the influential notion of hypothesis test- ing in statistics. Dr. Muriel Bristol said that she prefers the taste of tea when the milk is put first into the cup and tea later, rather than vice versa. The statistician Ronald Fisher did not believe her. William Roach (like Bristol, a chemist, and her future husband) proposed a probabilistic test, whereby eight cups would be poured for Bristol, each randomly chosen to either be “milk first” or “tea first”. Bristol correctly identified all 8 cups. Pondering about this experiment, and the level of confidence that it enabled to reject the “null hypothesis” that Bristol simply guessed randomly led to Fisher’s development of hypothesis testing and the now ubiquitous “𝑝 values”. We now consider a more “mathematical” example along simi- lar lines. Recall that if 𝑥 and 𝑚 are numbers then we say that 𝑥 is a quadratic residue modulo 𝑚 if there is some 𝑠 such that 𝑥 = 𝑠^2 (mod 𝑚). Let us define the function NQR (𝑚, 𝑥) to output 1 if and only if 𝑥 ≠ 𝑠^2 (mod 𝑚) for every 𝑠 ∈ {0, … , 𝑚 − 1}. There is a very simple way to prove statements of the form “ NQR (𝑚, 𝑥) = 0”: just give out 𝑠. However, here is an interactive proof system to prove statements of the form “ NQR (𝑚, 𝑥) = 1”:

  • We have two parties: Alice and Bob. The common input is (𝑚, 𝑥) and Alice wants to convince Bob that NQR (𝑚, 𝑥) = 1. (That is, that 𝑥 is not a quadratic residue modulo 𝑚).
  • We assume that Alice can compute NQR (𝑚, 𝑤) for every 𝑤 ∈ {0, … , 𝑚 − 1} but Bob is polynomial time.
  • The protocol will work as follows:
  1. Bob will pick some random 𝑠 ∈ ℤ∗𝑚 (e.g., by picking a random number in {1, … , 𝑚 − 1} and discard it if it has nontrivial g.c.d. with 𝑚) and toss a coin 𝑏 ∈ {0, 1}. If 𝑏 = 0 then Bob will send 𝑠^2 (mod 𝑚) to Alice and otherwise he will send 𝑥𝑠^2 (mod 𝑚) to Alice.
  2. Alice will use her ability to compute NQR (𝑚, ⋅) to respond with 𝑏′^ = 0 if Bob sent a quadratic residue and with 𝑏′^ = 1 otherwise.

zero knowledge proofs 277

(^5) People have considered the notion of zero knowl- edge systems where soundness holds only with re- spect to efficient provers; these are known as argument systems.

soundness condition holds even if the prover uses a non efficient strategy.^5 We say that a proof system has an efficient prover if there is an NP-type proof system Π for 𝐿 (that is some efficient algorithm Π such that there exists 𝜋 with Π(𝑥, 𝜋) = 1 iff 𝑥 ∈ 𝐿 and such that Π(𝑥, 𝜋) = 1 implies that |𝜋| ≤ 𝑝𝑜𝑙𝑦(|𝑥|), such that the strategy for 𝑃 can be implemented efficiently given any static proof 𝜋 for 𝑥 in this system.

R Remark 13.3 — Notation for strategies. Up until now, we always considered cryptographic protocols where Alice and Bob trusted one another, but were worried about some adversary controlling the channel between them. Now we are in a somewhat more “suspicious” setting where the parties do not fully trust one an- other. In such protocols there is always a “prescribed” or honest strategy that a particular party should fol- low, but we generally don’t want the other parties’ security to rely on someone else’s good intention, and hence analyze also the case where a party uses an arbi- trary malicious strategy. We sometimes also consider the honest but curious case where the adversary is passive and only collects information, but does not deviate from the prescribed strategy. Protocols typically only guarantee security for party A when it behaves honestly - a party can always chose to violate its own security and there is not much we can (or should?) do about it.

13.3 DEFINING ZERO KNOWLEDGE

So far we merely defined the notion of an interactive proof system, but we need to define what it means for a proof to be zero knowledge. Before we attempt a definition, let us consider an example. Going back to the notion of quadratic residuosity, suppose that 𝑥 and 𝑚 are public and Alice knows 𝑠 such that 𝑥 = 𝑠^2 (mod 𝑚). She wants to convince Bob that this is the case. However she prefers not to reveal 𝑠. Can she convince Bob that such an 𝑠 exists without revealing any information about it? Here is a way to do so:

Protocol ZK-QR: Public input for Alice and Bob: 𝑥, 𝑚; Alice’s private input is 𝑠 such that 𝑥 = 𝑠^2 (mod 𝑚).

  1. Alice will pick a random 𝑠′^ and send to Bob 𝑥′^ = 𝑥𝑠′2^ (mod 𝑚).
  2. Bob will pick a random bit 𝑏 ∈ {0, 1} and send 𝑏 to Alice.
  3. If 𝑏 = 0 then Alice reveals 𝑠𝑠′, hence giving out a root for 𝑥′; if 𝑏 = 1 then Alice reveals 𝑠′, hence showing a root for 𝑥′𝑥−1.

278 an intensive introduction to cryptography

  1. Bob checks that the value 𝑠″^ revealed by Alice is indeed a root of 𝑥′𝑥−𝑏, if so then it “accepts” the proof.

If 𝑥 was not a quadratic residue then no matter how 𝑥′^ was chosen, either 𝑥′^ or 𝑥′𝑥−1^ is not a residue and hence Bob will reject the proof with probability at least 1/2. By repeating this 𝑛 times, we can reduce the probability of Bob accepting the proof of a non residue to 2 −𝑛. On the other hand, we claim that we didn’t really reveal anything about 𝑠. Indeed, if Bob chooses 𝑏 = 0, then the two messages (𝑥′, 𝑠𝑠′) he sees can be thought of as a random quadratic residue 𝑥′^ and its root. If Bob chooses 𝑏 = 1 then after dividing by 𝑥 (which he could have done by himself) he still gets a random residue 𝑥″^ and its root 𝑠′. In both cases, the distribution of these two messages is completely in- dependent of 𝑠, and hence intuitively yields no additional information about it beyond whatever Bob knew before. To define zero knowledge mathematically we follow the following intuition:

A proof system is zero knowledge if the verifier did not learn anything after the interaction that he could not have learned on his own.

Despite the name “zero knowledge”, we do not claim that the ver- ifier does not know anything about the private input 𝑥. For example, if 1𝑚 = 𝑝 ⋅ 𝑞 for two primes 𝑝, 𝑞, then each 𝑠 ∈ ℤ∗𝑚 has at most four square roots, and if the verifier could compute square roots then they can narrow 𝑥 down to these four possibilities. However, the point is that this is knowledge that the verifier already even before the interac- tion with the prover, and so participating in the proof resulted in zero additional knowledge. Here is how we formally define zero knowledge:

Definition 13.4 — Zero knowledge proofs. A proof system (𝑃 , 𝑉 ) for 𝑓 is zero knowledge if for every efficient verifier strategy 𝑉 ∗^ there exists an efficient probabilistic algorithm 𝑆∗^ (known as the simulator ) such that for every 𝑥 s.t. 𝑓(𝑥) = 1 , the following random variables are computationally indistinguishable:

  • The output of 𝑉 ∗^ after interacting with 𝑃 on input 𝑥.
  • The output of 𝑆∗^ on input 𝑥.

That is, we can show the verifier does not gain anything from the interaction, because no matter what algorithm 𝑉 ∗^ he uses, whatever he learned as a result of interacting with the prover, he could have just

280 an intensive introduction to cryptography

  • 𝑉 2 (𝑥, 𝑚, 𝑥′, 𝑠″) is whatever Bob outputs after seeing Alice’s re- sponse 𝑠″^ to the bit 𝑏.

Both 𝑉 1 and 𝑉 2 are efficiently computable. We now need to come up with an efficient simulator 𝑆∗^ that is a standalone algorithm that on input 𝑥, 𝑚 will output a distribution indistinguishable from the output 𝑉 ∗. The simulator 𝑆∗^ will work as follows:

  1. Pick 𝑏′^ ←𝑅 {0, 1}.
  2. Pick 𝑠″^ at random in ℤ∗𝑚. If 𝑏 = 0 then let 𝑥′^ = 𝑠″^2 (mod 𝑚). Otherwise output 𝑥′^ = 𝑥𝑠″^2 (mod 𝑚).
  3. Let 𝑏 = 𝑉 1 (𝑥, 𝑚, 𝑥′). If 𝑏 ≠ 𝑏′^ then go back to step 1.
  4. Output 𝑉 2 (𝑥, 𝑚, 𝑥′, 𝑠″).

The correctness of the simulator follows from the following claims (all of which assume that 𝑥 is actually a quadratic residue, since oth- erwise we don’t need to make any guarantees and in any case Alice’s behaviour is not well defined): Claim 1: The distribution of 𝑥′^ computed by 𝑆∗^ is identical to the distribution of 𝑥′^ chosen by Alice. Claim 2: With probability at least 1/2, 𝑏′^ = 𝑏. Claim 3: Conditioned on 𝑏 = 𝑏′^ and the value 𝑥′^ computed in step 2, the value 𝑠″^ computed by 𝑆∗^ is identical to the value that Alice sends when her first message is 𝑥′^ and Bob’s response is 𝑏. Together these three claims imply that in expectation 𝑆∗^ only in- vokes 𝑉 1 and 𝑉 2 a constant number of times (since every time it goes back to step 1 with probability at most 1/2). They also imply that the output of 𝑆∗^ is in fact identical to the output of 𝑉 ∗^ in a true interaction with Alice. Thus, we only need to prove the claims, which is actually quite easy: Proof of Claim 1: In both cases, 𝑥′^ is a random quadratic residue. QED (Claim 1) Proof of Claim 2: This is a corollary of Claim 1; since the distribu- tion of 𝑥′^ is identical to the distribution chosen by Alice, in particular 𝑥′^ gives out no information about the choice of 𝑏′. QED (Claim 2) Proof of Claim 3: This follows from a direct calculation. The value 𝑠″^ sent by Alice is a square root of 𝑥′^ if 𝑏 = 0 and of 𝑥′𝑥−1^ if 𝑥 = 1. But this is identical to what happens for 𝑆∗^ if 𝑏 = 𝑏′. QED (Claim 3) Together these complete the proof of the theorem. ■

Theorem 13.6 is interesting but not yet good enough to guarantee security in practice. After all, the protocol that we really need to show

zero knowledge proofs 281

is zero knowledge is the one where we repeat this procedure 𝑛 times. This is a general theorem that if a protocol is zero knowledge then repeating it polynomially many times one after the other (so called “sequential repetition”) preserves zero knowledge. You can think of this as cryptography’s version of the equality “0 + 0 = 0”, but as usual, intuitive things are not always correct and so this theorem does re- quire (a not super trivial) proof. It is a good exercise to try to prove it on your own. There are known ways to achieve zero knowledge with negligible soundness error and a constant number of communication rounds, see Goldreich’s book (Vol 1, Sec 4.9).

13.4 ZERO KNOWLEDGE PROOF FOR HAMILTONICITY.

We now show a proof for another language. Suppose that Alice and Bob know an 𝑛-vertex graph 𝐺 and Alice knows a Hamiltonian cycle 𝐶 in this graph (i.e. a length 𝑛 simple cycle

  • one that traverses all vertices exactly once). Here is how Alice can prove that such a cycle exists without revealing any information about it.

Protocol ZK-Ham:

  1. Common input: graph 𝐻 (in the form of an 𝑛 × 𝑛 adjacency ma- trix). Alice’s private input: a Hamiltonian cycle 𝐶 = (𝐶 1 , … , 𝐶𝑛) which are distinct vertices such that (𝐶ℓ, 𝐶ℓ+1) is an edge in 𝐻 for all ℓ ∈ {1, … , 𝑛 − 1} and (𝐶𝑛, 𝐶 1 ) is an edge as well. Below we assume that 𝐺 ∶ {0, 1}𝑛^ → {0, 1}3𝑛^ is a pseudorandom generator.
  2. Bob chooses a random string 𝑧 ∈ {0, 1}3𝑛
  3. Alice chooses a random permutation 𝜋 on {1, … , 𝑛} and let 𝑀 be the 𝜋-permuted adjacency matrix of 𝐻 (i.e., 𝑀𝜋(𝑖),𝜋(𝑗) = 1 iff (𝑖, 𝑗) is an edge in 𝐻). For every 𝑖, 𝑗, Alice chooses a random string 𝑥𝑖,𝑗 ∈ {0, 1}𝑛^ and let 𝑦𝑖,𝑗 = 𝐺(𝑥𝑖,𝑗) ⊕ 𝑀𝑖,𝑗𝑧. She sends {𝑦𝑖,𝑗}𝑖,𝑗∈[𝑛] to Bob.
  4. Bob chooses a bit 𝑏 ∈ {0, 1}.
  5. If 𝑏 = 0 then Alice sends out 𝜋 and the strings {𝑥𝑖,𝑗} for all 𝑖, 𝑗; if 𝑏 = 1 then Alice sends out the 𝑛 strings 𝑥𝜋(𝐶 1 ),𝜋(𝐶 2 ), … , 𝑥𝜋(𝐶𝑛),𝜋(𝐶 1 ) together with their indices.
  6. If 𝑏 = 0 then Bob computes 𝑀 to be the 𝜋-permuted adjacency matrix of 𝐻 and verifies that all the 𝑦𝑖,𝑗’s were computed from the 𝑥𝑖,𝑗’s appropriately. If so then Bob accepts the proof, and otherwise it rejects it. If 𝑏 = 1 then Bob verifies that the indices of the strings {𝑥𝑖,𝑗} sent by Alice form a cycle and that indeed 𝑦𝑖,𝑗 = 𝐺(𝑥𝑖,𝑗) ⊕ 𝑧

zero knowledge proofs 283

  1. We compute the fourth message of the protocol similarly to how Alice does it: if 𝑏 = 0 then it consists of 𝜋 and the strings {𝑥𝑖,𝑗} for all 𝑖, 𝑗; if 𝑏 = 1 then we pick a random length-𝑛 cycle 𝐶′^ and the message consists of the 𝑛 strings 𝑥𝐶 1 ′,𝐶 2 ′ , … , 𝑥𝐶′𝑛,𝐶′ 1 together with their indices.
  2. Output whatever 𝑉 ∗^ outputs when given the prior message.

We prove the output of the simulator is indistinguishable from the output of 𝑉 ∗^ in an actual interaction by the following claims: Claim 1: The message {𝑦𝑖,𝑗} computed by 𝑆∗^ is computationally indistinguishable from the first message computed by Alice. Claim 2: The probability that 𝑏 = 𝑏′^ is at least 1/3. Claim 3: The fourth message computed by 𝑆∗^ is computationally indistinguishable from the fourth message computed by Alice. We will simply sketch here the proofs (see Goldreich’s book for example for full proofs): For Claim 1, note that if 𝑏′^ = 0 then the message is identical to the way Alice computes it. If 𝑏′^ = 1 then the difference is that 𝑆∗^ computes some strings 𝑦𝑖,𝑗 of the form 𝐺(𝑥𝑖,𝑗) + 𝑧 where Alice would compute the corresponding strings as 𝐺(𝑥𝑖,𝑗) this is indistinguishable because 𝐺 is a pseudorandom generator (and the distribution 𝑈3𝑛 ⊕ 𝑧 is the same as 𝑈3𝑛). Claim 2 is a corollary of Claim 1. If 𝑉 ∗^ managed to pick a message 𝑏 such that Pr[𝑏 = 𝑏′] < 1/2 − 𝑛𝑒𝑔𝑙(𝑛) then in particular it could distinguish between the first message of Alice (that is computed inde- pendently of 𝑏′^ and hence contains no information about it) from the first message of 𝑉 ∗. For Claim 3, note that again if 𝑏 = 0 then the message is computed in a way identical to what Alice does. If 𝑏 = 1 then this message is also computed in a way identical to Alice, since it does not matter if instead of picking 𝐶′^ at random, we picked a random permutation 𝜋 and let 𝐶′^ be the image of the Hamiltonian cycle under this permutation. This completes the proof of the theorem. ■

13.4.1 Why is this interesting? The reason that a protocol for Hamiltonicity is more interesting than a protocol for quadratic residuosity is that Hamiltonicity is an NP- complete problem. Specifically recall the following:

  • A function 𝐹 ∶ {0, 1}∗^ → {0, 1} is in NP if there exists a polynomial- time algorithm 𝑉𝐹 and some integer 𝑐 such that for every 𝑥 ∈ {0, 1}∗, 𝐹 (𝑥) = 1 iff there exists 𝑦 ∈ {0, 1}|𝑥|𝑐 such that 𝑉𝐹 (𝑥, 𝑦) = 1. Many functions of interest in all areas of math, science, engineering, and more are in the class NP.

284 an intensive introduction to cryptography

  • Let HAM ∶ {0, 1}∗^ → {0, 1} be the function that maps a graph 𝐺 to 1 if and only if 𝐺 contains a Hamiltonian cycle. Then HAMNP. Indeed, this is demonstrated by the function 𝑉𝐻𝐴𝑀 such that 𝑉𝐻𝐴𝑀 (𝐺, 𝐶) = 1 iff 𝐶 is a Hamiltonian cycle in the graph 𝐺.
  • The function HAM is NP-complete. Specifically for every 𝐹 , 𝑉𝐹 as above, there is are efficiently computable functions 𝑟, 𝑟𝐸𝑛𝑐𝑜𝑑𝑒, 𝑟𝐷𝑒𝑐𝑜𝑑𝑒 that satisfy the following:

a. (Completeness of reduction.) For every 𝑥, 𝑦 such that 𝑉𝐹 (𝑥, 𝑦) = 1 , 𝑉𝐻𝐴𝑀 (𝑟(𝑥), 𝑟𝐸𝑛𝑐𝑜𝑑𝑒(𝑥, 𝑦)) = 1. In particular this means that for every 𝑥 such that 𝐹 (𝑥) = 1, HAM (𝑟(𝑥)) = 1. (Can you see why?) b. (Soundness of reduction.) For every 𝑥 ∈ {0, 1}∗, if there exists 𝐶 such that 𝑉𝐻𝐴𝑀 (𝑟(𝑥), 𝐶) = 1 then 𝑉𝐹 (𝑥, 𝑟𝐷𝑒𝑐𝑜𝑑𝑒(𝑥, 𝐶)) = 1. In particular this means that for every 𝑥 such that HAM (𝑟(𝑥)) = 1, 𝐹 (𝑥) = 1. (Can you see why?)

Using the reduction above, we can transform the zero-knowledge proof for Hamiltonicity into a zero knowledge proof for every 𝐹 ∈ NP. Specifically, to prove that 𝐹 (𝑥) = 1, the verifier and prover will use the following system (see also Fig. 13.1).

  1. Public input: 𝑥. Prover’s private input: 𝑦 such that 𝑉𝐹 (𝑥, 𝑦) = 1.
  2. Verifier and prover will compute 𝐺 = 𝑟(𝑥). Prover will compute 𝐶 = 𝑟𝐸𝑛𝑐𝑜𝑑𝑒(𝑥, 𝑦).
  3. Verifier and prove run the Hamiltonicity zero knowledge protocol, with public input 𝐺 and prover’s private input 𝐶. The verifier’s output is the output in this protocol.

Figure 13.1 : Using a zero knowledge protocol for Hamiltonicity we can obtain a zero knowledge pro- tocol for any language 𝐿 in NP. For example, if the public input is a SAT formula 𝜑 and the Prover’s se- cret input is a satisfying assignment 𝑥 for 𝜑 then the verifier can run the reduction on 𝜑 to obtain a graph 𝐻 and the prover can run the same reduction to ob- tain from 𝑥 a Hamiltonian cycle 𝐶 in 𝐻. They can then run the ZK-Ham protocol to prove that indeed 𝐻 is Hamiltonian (and hence the original formula was satisfiable) without revealing any information the verifier could not have obtain on his own.

286 an intensive introduction to cryptography

13.5.1 “Bonus features” of zero knowledge The following properties of zero knowledge systems are used in the literature. We might cover some in class, but mention them here. These are covered in Chapter 20 of Boneh-Shoup.

  • Proof of knowledge - it can be shown that the proof above of Hamil- tonicity yields more than soundness. We can “extract” from a prover startegy that succeeds in convincing the verifier that 𝐺 is Hamiltonian with probability larger than 1/2 an actual Hamiltonian cycle. This means that the prover didn’t just convince the verifier that there exists a Hamiltonian cycle in the graph 𝐺 but also that the prover “knows” it. This notion is known as a “proof of knowledge”.
  • Arguments - if a proof system only satisfies the soundness condi- tion with respect to polynomial-time provers, then it is called an argument system.
  • Succinct proofs - proofs that 𝐹 (𝑥) = 1 where total communication is a fixed polynomial in 𝑛 independently of the time to verify 𝐹.

Combining succinct zero-knowledge proofs with the Fiat-Shamir heuristic for non-interactivity leads to the notion of zero-knowledge succinct arguments or ZK-SNARG. If these also satisfy a “proof of knowledge” property then they are called ZK-SNARKs. These have recently been of great interest for crypto-currencies. See lectures 16- in Stanford CS 251, as well as this blog post.