Zero Knowledge Proofs. 20 Years after its Invention

1
Zero Knowledge Proofs.20 Years after its
Invention

• Author
• Oded Goldreich
• Dept. of CS Applied Mathematics,
• Weizmann Institute of Science, Israel.

Presented by Mr. Sameer Seth samseth_at_gwu.edu
2
Abstract

• Zero Knowledge Proofs are proofs that are both
  convincing and yet yield nothing beyond the
  validity of the assertion being proved.
• We will survey the main developments regarding
  Zero - Knowledge , starting from the basic
  definitions and reaching the most recent and
  sophisticated results in this area.

3
Contents

• Introduction
• The Basics
• Preliminaries
• Interactive Proofs Argument systems
• Computational Difficulty and One Way functions
• Definitional Issues
• The Basic Definition
• Variants
• Universal Black Box Simulators
• Honest Verifier vs. General Cheating Verifier
• Statistical Vs. Computational ZK
• Strict Vs. expected probabilistic Polynomial
  time

4
Contents

• Introduction
• Advanced Topics
• Composing ZK Protocols
• Sequential Composition
• Parallel Composition
• Concurrent Composition ( With Without timing )
• ZK Proofs in other models

5
Introduction

• They are fascinating because of their seemingly
  contradictory definition and extremely useful
  constructs.
• They are typically used to force malicious
  parties to behave according to a predetermined
  protocol.
• Typical applications of ZK Proofs are
• Preservation of security under various forms of
  protocol composition
• Use of Adversary program within proof of security.

6
Basics (Definition)

• The ZKP is formulated by saying that anything
  that is feasibly computable from a ZKP is also
  feasibly computable from the assertion itself.
  Variants on the basic def. are
• Consideration of Auxiliary inputs.
• Mandating of universal and black box
  simulations
• Restricting attention to honest verifiers
• The level of Similarity required for simulation.
• Zero Knowledge proofs exist for any NP-set,
  provided, One way functions exist for that set.

7
Example of ZK Proof system
8
Preliminaries

• Modern Cryptography is concerned with the
  construction of efficient schemes for which it is
  in feasible to violate the security feature.
• The computations of the legitimate users of the
  scheme ought to be efficient whereas violating
  the security feature ought to be infeasible.
• Efficient computations are commonly modeled by
  computations that are polynomial time in
  security parameter. The polynomial bounding the
  running time of the legitimate users strategy
  is fixed and typically explicit.
• Randomized computations play a central role in
  the definition of ZK. We allow the legitimate
  users to employ randomized computations. This
  brings up issue of success probability typically
  we require legitimate users to succeed with
  probability 1 ( or very close to 1 ) and
  adversaries to succeed with negligible
  probability.
• A Rare event should occur rarely even if we
  repeat the experiment for a feasible number of
  times.

9
Preliminaries

• We consider negligible as any function,
• A N ? 0,1
• That vanishes faster than the reciprocal of any
  polynomial.

10
Interactive Proofs and Argument System

• The standard notion of static proofs will not do,
  because static ZKP exist only for sets that are
  easy to decide. Whereas we are interested for
  arbitrary NP-sets.We will use the notion of an
  Interactive Proof. Here the proof is a (multi
  round ) randomized protocol for two parties
  verifier and prover, in which prover wishes to
  convince verifier of the validity of given
  assertion. Both Completeness and soundness
  conditions should hold with high probability.
• The verifier has to be probabilistic polynomial
  time.
• If the assertion is false, the verifier must
  reject with Noticeable probability, no matter
  what strategy is being applied by prover.

11
Interactive Proofs

• Definition
• An IP system for a set S is a two party game,
  between a verifier executing a probabilistic
  polynomial time strategy and a prover which
  executes a computationally unbounded strategy ,
  satisfying
• Completeness For every x belongs S the verifier
  V always accepts after interacting with the
  prover P on common input x.
• Soundness For some polynomial p, it holds that
  for every x not belonging to S and every
  potential strategy P, the verifier V rejects
  with probability at least 1/p(x), after
  interacting with P on common input x.
• Computational Soundness error can be reduced by
  sequential repetitions, but it cannot be always
  reduced by parallel repititions.

12
Computational Difficulty and One Way Function

• Most positive result regarding ZK Proofs are
  based on intractability assumptions.
• Defn. of One Way functions.
• A function f 0,1 ? 0,1 is called one
  way if the following two conditions hold.
• 1. Easy to evaluate There exists a polynomial
  time algorithm A such that A(x) f(x) for
  everyx belongs 0,1 .
• 2. Hard to invert For every family of
  polynomial size circuits Cn , every
  polynomial p, and all sufficiently large nPr
  Cn (f(x)) (- f -1(f(x)) lt 1/p(n)where
  probability is taken uniform over all possible
  choices

13
Basic Definition

• An interactive strategy A is ZK on the set S if,
  for every feasible strategy B, there exists a
  feasible computation C s.t. the following
  probability ensembles are computationally
  indistinguishable.
• 1. ( A,B )(x) output of B after interacting
  with A on common input x and
• 2. C(x) the output of C on input x.

14
Variants

• Universal and black box simulation
• Further strengthening of definition is obtained
  by requiring the existence of a universal
  simulator, denoted C that is given the program f
  the verifier as an auxiliary input that is in
  terms with definition, one should replace C(x,z)
  by C(x,z, (B)), where ( B) denotes the
  description of program B.
• Therefore we effectively restrict the simulation
  by requiring that it be a uniform function of the
  verifier program.

15
Variants

• Honest Verifier Vs. General cheating verifier.
• We typically view verifier as an adversary that
  is trying to cheat.
• A weaker and still interesting notion of ZK
  refers to what can be gained by an honest
  verifier that interacts with the prover as
  directed with the exception that it may maintain
  a record of entire interaction. Although such a
  weaker notion is not satisfactory for a standard
  cryptographic applications, coz it yields a
  fascinating notion from a conceptual as well as
  complexity theoretic point of view.

16
Variants

• Statistical Vs. Computational Zero Knowledge
• Perfect Zero Knowledge PZK It requires that
  the two probability ensembles to be identical.
• Statistical Zero Knowledge SZK It requires
  that these probability ensembles be statistically
  close ( Variation distance betn them be
  negligible
• Computational Zero Knowledge CZK It requires
  that these probability ensembles be
  computationally indistinguishable.
• CZK is most liberal notion, and is the notion
  considered in definition.

17
Variants

• Strict Versus Probabilistic Polynomial time.
• Strict PPT There exists a bound on number of
  steps in each possible run of the machine
  regardless outcome of its coin tosses.
• Expected PPT The standard approach is to look
  at the running time as a random variable and
  bound its expectation and an alternative
  treatment of this random variable is preferable.

18
Advanced Topics

• The first question of ZK proofs refers to
  preservation of its security under various types
  of composition operations.
• The main facts for ZK protocols are
• ZK is closed under sequential composition
• ZK is not closed under parallel composition, yet
  some ZK preserve their security when many copies
  are executed in parallel.
• Some ZK proofs preserve their security when many
  copies are executed concurrently, but such a
  result is not known for constant round protocols.
• For all 15 yrs. All known proofs of security used
  the adversarys program as black box and it was
  believed there is no use in having access to the
  code of adversarys program.
• This property was refuted by a ZK argument that
  has important properties that are unachievable by
  black box simulation.
• When we talk of composition of protocols, we mean
  that honest users are supposed to follow the
  prescribed program. That is the actions of honest
  users in one execution are independent of
  messages they received in previous executions.

19
Sequential Composition

• In this case, the protocol is invoked (
  polynomially ) many times, where each invocation
  follows the termination of the previous one.
• At the very least, security should be preserved
  under sequential composition, or else the
  applicability of protocol is highly limited.
• Every protocol that is ZK ( Under definition ) is
  sequential Zero Knowledge.

20
Parallel Composition

• In this case many instances of the protocol are
  invoked at the same time and proceed at the same
  pace. Here we assume a synchronous model and
  consider many executions that are totally
  synchronized so that the i th message in all
  instances is send exactly at the same time.
• In the early days we interpreted parallel
  composition was mainly in the context of round
  efficient error reduction. Since then alternative
  ways of constructing constant round ZK proofs
  were found.
• Interest in Parallel composition has died. In
  retrospect parallel composition helped to capture
  preservation of security.
• Under standard intractability assumptions, every
  NP set has a constant round parallel ZK proofs

21
Concurrent Composition ( with without timing )

• Concurrent composition generalizes both
  sequential and parallel composition. Here many
  instances of the protocol are invoked at
  arbitrary times and proceed at arbitrary pace.
  Therefore we assume asynchronous model of
  communication.
• When extensive multi party computations became a
  reality, it became clear that it is desirable
  that cryptographic protocols maintain their
  security under concurrent composition.
• Thus two models are discussed in literature
• Concurrent Composition in Asynchronous Model
• Concurrent Composition in Timing model.

22
Concurrent Composition in Asynchronous model

• In comparison to timing model the pure
  asynchronous model is simple and using it
  requires no assumptions about the underlying
  communication channels, however it seems harder
  to construct ZK proofs for this model.
• Research has focused on determining the round
  complexity of concurrent ZK proofs of NP.
• The current state of art is as follows
• Under standard intractability assumptions, every
  language in NP has a concurrent ZK proof with
  almost logarithmically many rounds. Further more,
  ZK property can be demonstrated by black box
  simulator.
• Though black box simulator cannot demonstrate the
  concurrent ZK property of non trivial proofs
  having significantly less than logarithmically
  many rounds
• Recently it was demonstrated that black box
  simulator barrier can be bypassed for NP which
  maintain security as long as an a priori
  bounded number of executions take place
  concurrently.

23
Concurrent Composition under timing model

• This model was introduced by Dwork. They assumed
  that each party holds a local clock s.t. the
  relative clock rates are bounded by an a priori
  known constant and consider protocols that employ
  time driven operations.
• The disadvantages of timing model are
• The timing model consists of the assumption that
  talking about the actual timing of events is
  meaningful and of the introduction of time driven
  operations.
• The timing model assumption amounts to
  postulating that each party holds a local clock
  and knows a global bound denoted by pgt1 in the
  relative rates of he local clocks
• But in out opinion these timing model are more
  reasonable, and are unlikely to restrict the
  scope of application.

24
Zero Knowledge in other models

• Multi prover Interactive proofs
• In the multi prover interactive proof, the prover
  is split into several entities and the
  restriction is that these entities cannot
  interact with each other.
• Actually the formulation allows them to
  coordinate their strategies prior to interacting
  with the verifier but it is crucial that they
  themselves do not exchange messages.
• Eg. Police interrogating with all the suspects
  individually.
• Strict Computational Soundness
• The Prover s running time is monitored by the
  verifier that may run for a longer time, and the
  prover s utility is due to an auxiliary input
  that it has.