the complexity of zero-knowledge proofs salil vadhan harvard university
TRANSCRIPT
The Complexity of Zero-Knowledge Proofs
Salil Vadhan
Harvard University
A Successful Marriage
Complexity Theory:Which problems are
“computationally hard”to solve?
Cryptography:Design protocols that are
“computationally hard”to break.
hard problems,techniques
revisit notions,adversarial view
Two Areas of Interaction
• Pseudorandomness:generating objects that “look random” despite being constructed with little or no randomness.– Cryptography: many unpredictable bits from short key– Complexity: power of randomized algs (RP vs. P, RL vs. L)
• Zero-knowledge proofs:interactive proofs that reveal nothing other than validity of assertion being proven– Cryptography: central in study of crypto protocols– Complexity: augments NP $ “efficiently verifiable proofs”
This Talk
Complexity-theoretic study of zero-knowledge proofs:
• Characterize the expressiveness of ZK.
• Prove general theorems about ZK.
• Minimize or eliminate complexity assumptions.
YES NO
0,1 *
Promise Problemexcluded inputs
Promise Problems [ESY84]
• P = { : can decide if x2Y or x2N in poly(|x|) time}
= “feasible problems”
YES NO
0,1 *
Language
3-COLORING
• Given: a map MDecide: can it be colored w/3 colors s.t. no two adjacent countries have the same color?
• Formally: Y = { maps M : M is 3-colorable}N = { maps M : M is not 3-colorable}
• Fastest known algorithm: 2O(n)
http://www.ctl.ua.edu/math103/
3-COLORING
• Given: a graph GDecide: can it be colored w/3 colors s.t. no two adjacent vertices have the same color?
• Formally: Y = { graphs G : G is 3-colorable}N = { graphs G : G is not 3-colorable}
• Fastest known algorithm: 2O(n)
NP Proof Systems
• Def: An NP proof system for is an algorithm V s.t.– Completeness:
x2 Y ) 9 V(x,)=accept
– Soundness: x2 N ) 8 * V(x,)=reject
– Efficiency: V(x,) runs in time poly(|x|).
• Example: 3-coloring– V(G,) = accept iff is a valid 3-coloring of G
NP Proofs
• Def: An NP proof system for is an algorithm V s.t.– Completeness: x2 Y ) 9 V(x,)=accept– Soundness: x2 N ) 8 * V(x,)=reject– Efficiency: V(x,) runs in time poly(|x|).
• The P=NP Question– Do mathematical proofs ever save time?– Is exhaustive search ever necessary?
• NP-completeness [C71,K72,L73]– every NP problem can be reduced to 3-coloring.
• Q: What does one learn from a proof?
?
Zero-Knowledge Proofs [GMR85]
• Efficiency: V runs in time poly(|x|).
• Completeness: x2 Y ) Pr[V accepts] ¸ 2/3
• Soundness: x2 N ) 8 PPr[V accepts] · 1/3
• Zero Knowledge: x2 Y ) 8 V* V* “learns nothing” else
poly-timeVerifier V
unboundedProver P x
accept/reject
m1
m2
m3
m4
“security” conditions
Zero-Knowledge Proofs [GMR85]
• Flavors– Statistical: security vs. computationally unbounded P*,V*
– Computational: security vs. poly-time P*,V*
• Cryptographic Protocols– Encryption, digital signatures, privacy-preserving datamining,
electronic voting,…– Testbed for composability, concurrency, …
• Complexity Theory– SZK = {2 NP : has a statistical ZK proof}– ZK = {2 NP : has a computational ZK proof}
3-COLORING2ZK [GMW86]
unboundedProver
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes.
1
2
3
4
5
6
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes.
1
2
3
4
5
6
3-COLORING2ZK [GMW86]
unboundedProver
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
(Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1
3-COLORING2ZK [GMW86]
unboundedProver
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
Soundness: graph not 3-colorable ) 8 P* V rejects w.p. ¸ 1/(#edges)
3-COLORING2ZK [GMW86]
unboundedProver
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover
3-COLORING2ZK [GMW86]
unboundedProver
How to implement boxes?
Bit commitment:
• Hiding:
Com() & Com()
indistinguishable.
() zero knowledge)
• Binding: W.h.p. z can be opened to only one value 2 {0,1}. )soundness
ReceiverSender
commit stage:
reveal stage:
(,K)
zK
accept/reject
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
Com( )…Com( )
( ,K1),( ,K4)
3-COLORING2ZK [GMW86]
unboundedProver
poly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
Com( )…Com( )
( ,K1),( ,K4)
NPµZK [GMW86]x
unboundedProver
Thm: If one-way functions exist,– Computationally hiding, statistically binding
bit-commitment schemes exist [HILL90,Nao91].– Statistically hiding, computationally “1-out-of-2-binding”
bit-commitment schemes exist [NOV06].
) all of NP has zero-knowledge proofs (with either security property statistical).
Existence of Commitment Schemes
x f(x)
easy
hard
Thm: If one-way functions exist,– Computationally hiding, statistically binding
bit-commitment schemes exist [HILL90,Nao91].– Statistically hiding, computationally “1-out-of-2-binding”
bit-commitment schemes exist [NOV06].
) all of NP has zero-knowledge proofs (with either security property statistical).
Existence of Commitment Schemes
p,q p£q
easy
hard
Thm: If one-way functions exist,– Computationally hiding, statistically binding
bit-commitment schemes exist [HILL90,Nao91].– Statistically hiding, computationally “1-out-of-2-binding”
bit-commitment schemes exist [NOV06].
) all of NP has zero-knowledge proofs (with either security property statistical).
Existence of Commitment Schemes
minimal but stronger than PNP
General Results on ZK
• ZK = NP.• ZK = ZK w/perfect completeness• ZK = ZK w/poly-time prover
• ZK = honest-verifier ZK
• ZK closed under union• …
Thm [GMW86,HILL90,Nao91]:
Q: What can we prove about ZK unconditionally?
Assuming one-way functions exist...
Unconditional Results on SZK
• SZK contains QUADRATIC RESIDUOSITY [GMR85], GRAPH ISOMORPHISM [GMW86],...
• SZK=SZK w/perfect completeness [O96]
• SZK closed under complement, union [O96]
• Complete Problems [SV97,GV99]
• SZK=honest-verifier SZK [GSV98]
• SZK=SZK w/poly-time prover [NV06]
• …
But more constrained: SZK µ coAM [F86,AH87] ) unlikely to contain NP.
Thms:
Unconditional Results on ZK
• New characterizations of ZK • ZK = ZK w/perfect completeness• ZK = ZK w/poly-time prover• ZK = honest-verifier ZK• ZK closed under union• ZK Å coNP closed under complement• ...
Thm [V04,NV06,OV06]:
Assuming one-way functions exist...
How to get unconditional results on ZK?
• Thm [OW93]: If ZK RP, then a “weak form” of one-way functions exist.
• Idea: Case analysis.– Case I: ZK=RP. Everything trivial.– Case II: ZKRP. Use above OWF in conditional results.
• Problem: “Weak form” of OWF not enough (cf. [DOY97])
• Our approach:– replace RP by SZK– case analysis on input-by-input basis– combine OWF-based results w/unconditional results on SZK
The SZK/OWF CONDITION
Def: satisfies theSZK/OWF CONDITION if9 IµY, JµN, 9 poly-time {fx(y)}x2 {0,1}* s.t.
1. Ignoring I and J, is in SZK.
2. When x2 I[J, fx is hard to invert.
Y N
I
in SZK
instances yield OWF
Note: 9 OWF ) every problem satisfies above.
J
Y N
y fx(y)
easy
hard
ZK Characterization Theorem
Thm [V04,OV06]:
2 ZK
m2 NP and
satisfies
SZK/OWF CONDITION
Y N
I
in SZK
instances yield OWF
J
Y N
Moreover: ZK statistical , I = ; soundness statistical , J = ;
“Zero Knowledge & Soundness are Symmetric”
Proof of the Characterization Thms
2 honest-verifier ZKeven w/inefficient prover
satisfies SZK/OWF CONDITION.
2 ZKw/perfect completeness,
poly-time prover,…
+2NP
From SZK/OWF to ZK
• Idea: Use SZK proof when xI[J, use NP proof system when x2I[J (with fx as OWF)
• Problem: cannot efficiently decide whether x2I[J.
Thm: satisfies SZK/OWF CONDITION and 2NP, ) 2 ZK w/perfect completeness, poly-time prover,...
YNI
J
SZK
OWF
Sol’n: Instance-dependent Commitments
• Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t.
– x2 Y ) hiding
– x2 N ) binding
• Example [BMO90]: GRAPH ISOMORPHISM
– aux. input = (G0,G1)
– commitment to = random isomorphic copy of G
– perfectly hiding and perfectly binding!
H B
Usefulness of I.D. Commitments
– x2 Y ) hiding
– x2 N ) binding
• Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness).
• Lemma [IOS94,MV03]: 2NP and has instance-dependent commitments) 2 ZK w/perfect completeness, poly-time prover, …
H B
Proverpoly-timeVerifier
1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.
(1,4)
1
2
3
4
5
6
4. Accept if colors different. 3. Send keys for
endpoints.
Comx( )…Comx( )
( ,K1),( ,K4)
From SZK/OWF to ZKx
I.D. Commitments from SZK/OWF
H B
H B
• SZK has stat. hiding, stat. 1-out-of-2-binding
i.d. commitments [NV06]
• OWF ) comp. hiding, stat. binding
commitments [HILL90,N91]
• OWF ) stat. hiding, comp. 1-out-of-2-binding
commitments [NOV06]
ComSZK
ComI
ComJ
• SZK/OWF CONDITION ) comp. hidingcomp. 1-out-of-2-binding i.d. commitments
ComSZK(b©r),ComI(r),ComJ(b)
H
B
B
H
Conclusions
• ZK continues to be an lively interface between cryptography and complexity theory.
• SZK/OWF Characterizations of ZK) unconditional results
• Variations on commitments– Instance-dependent commitments– 1-out-of-2-binding commitments
• Happy Thanksgiving!
Extra slides
Computational Complexity Theory
• Arithmetic on n-bit numbers:– Addition: time O(n)– Multiplying: time O(n2) – Factoring: time ~2n/2
• Computational problems:– Network Flows, Finding Nash Equilibria, Decoding Error-
Correcting Codes, Partition Function of Ising Model, Protein Folding, Proof Verification, …
• Resources:– Space (memory), randomness, parallelism, interaction,
quantum mechanics, …
“What problems can and cannot be solved with limited computational resources?”
O(n lg n lglg n) [SS71]
~2O(n1/3) [BLP94]
easy (poly-time)
hard?
Goals of Complexity Theory
• Lower Bounds – Prove that there are no efficient algorithms to solve certain
problems.– Success only for limited models of computation– PNP seems far out of reach.
• Establish Relationships– Between problems,
e.g. NP-completeness [C71,K72,L73]
– Between resources, e.g. Hardness vs. Randomness [BM82,Y82,NW88]: intractable problems derandomization (take CS225!)
Modern Cryptography
• Protocols for secure communication & computation in the face of adversarial behavior.– Encryption, digital signatures, SSL, e-voting, …
• Goal: “breaking” scheme computationally intractable– Information-theoretic security usually impossible [Sha49]
• Based on complexity theory [DH76,RSA78,Rab79]
Protocols SSL, E-voting, Auctions
PrimitivesEncryption, Signatures,Zero-knowledge Proofs
Hard ProblemsFactoring, RSA,
MD5, DES
Complexity Theory
Secure SystemsFrom Art to Science
• Convincing definitions of security [GM82,...],
rigorous proofs.
p£q
Protocols SSL, E-voting, Auctions
PrimitivesEncryption, Signatures,Zero-knowledge Proofs
Hard ProblemsFactoring, RSA,
MD5, DES
Complexity Theory
Secure SystemsFrom Art to Science
• Convincing definitions of security [GM82,...],
rigorous proofs.
• Goal: use assumptionsthat are as weak & general as possible.
• Ex: one-way functionseasy
hardConjectures
p,q
1-out-of-2-Binding Commitments
SenderReceiver
commit1 :
reveal1:
(,K1)
K1z1
commit2 :
reveal2:
(,K2)
K2z1
Hiding: • Both phases hiding) ZK
Binding: • Sender can changevalue at most once) Soundness
1-out-of-2-binding Commitments) ZK for NP
ProverVerifier
Commit1(coloring)
Hiding: • Both phases hiding) ZK
Binding: • Sender can changevalue at most once) Soundness
Edge
Reveal1
Commit2(coloring)
Edge
Reveal2
Intuitive idea: Run 3-coloring protocol twice