Cryptographic Protocols (CRYPROT)

Lecture 3 - April 29, 2021

Zero-Knowledge

Department of Computer Science | ENCRYPTO | Prof. Dr.-Ing. Thomas Schneider

Summary from Lecture 1: Zero-Knowledge Proofs

How can I prove that I know / can do sth. without revealing any other information?

Abel Prize Winner 2021: Avi Wigderson

Source: https://www.youtube.com/watch?v=0_NK_OkpmUY

2
Structure of Today’s Lecture

- Introduction
- Zero-knowledge Proofs of Languages in NP
- Sigma-Protocols
- Composition of Sigma-Protocols
- ZK and Non-Interactive ZK from Sigma-Protocols

3
INTRODUCTION

4
Motivation: Examples for Proofs

Mathematical Assertion Mathematical Assertion

„𝑥2 + 4𝑥 – 5 has two different roots“. „𝑥2 + 4𝑥 – 5 has three different roots“.

Proof Proof
The two roots are 𝑥1 = 1 and 𝑥2 = – 5. No proof exists as the statement is false.

Verification Verification
12 + 4 – 5 = 0 and – 5 2 + 4 ⋅ (−5) – 5 = 0. All „fake“ proofs will be rejected.

5
Proof Systems

2 Parties: Prover P, Verifier V

P wants to convince V that some statement is true.

Properties:

• Completeness: P can convince V that a true statement is true.

• Soundness: P cannot convince V that a false statement is true.

6
Zero-Knowledge Proof Example 1: Poisonous Liquids

Scenario: Two seemingly identical liquids, one is poisonous.

Claim: P wants to prove to V only that she is able to tell the
two liquids apart, without revealing which one is poisonous.
Method: P is blindfolded. V can now switch the positions of
the glasses or not. Then P can look at the glasses again
and must tell if the glasses have changed positions or not.
If P can answer correctly, she knows which glass is Source:
https://www.expressvpn.com/blog/zero-
poisonous with probability ½. knowledge-proofs-explained/

P could be guessing, so the proof is repeated 𝑛 times, after

!
which V is convinced with probability 1 − .
"!

7
Zero-Knowledge Proof Example 2: Opening Door

Scenario: There is a magic yellow door in a special cave,

that can only be opened with a secret password.
Claim: P wants to prove only to V that she knows the secret password 1
to open the door, without revealing it. 2
Method: P and V both start at position 1 and P goes into the cave
alone. At position 2, P decides to take the green or orange path and
goes to the magic yellow door to position 3/4. After a while V goes to
position 2 and asks P to appear either on the green or on the 3 4
orange path.
If P comes out on the demanded side, V is convinced with probability
½ that P knows the secret password.
P could have luckily chosen the correct side, so the proof is repeated
!
𝑛 times, after which V is convinced with probability 1 − "! .

8
Zero-Knowledge Proof Example 3: Sudoku

Scenario: A Sudoku is solved if every row, column and sub-grid

contains all numbers from 1 to 9. 8 6 9 7 4
5 7 2 6
Claim: P wants to prove to V that she knows the Sudoku solution, 7 5
without revealing it. 8 7
5 4 9
Method: P assigns cards to a 9x9 board according to her solution. Pre-
2 8
defined values are placed face up, the solution cards are placed face
7 8
down. V then chooses to verify either rows, columns, or sub-grids. P 9 1 5 3
then arranges the cards in packs according to V’s choice, one pack 7 6 8 1

for each row/column/sub-grid and then shuffles each pack. V then

verifies that each shuffled pack contains all numbers from 1 to 9,
which convinces V that P knows the solution with probability 1/3.
P could have guessed what V will verify, so the proof is repeated 𝑛
" $
times, after which V is convinced with probability 1 − .
#

9
Zero-Knowledge Proofs

V learns that the statement is true and nothing else beyond that.

V could generate a protocol view indistinguishable from a real protocol execution with P.

Zero-Knowledge (ZK) Property: For a true statement, there exists a simulator S interacting with
V that can generate a protocol view that looks like a valid protocol execution between P and V.

• Perfect ZK: Distributions of simulated view and real execution are exactly the same.
• Statistical ZK: Distributions of simulated view and real execution are statistically close.
Distinguishing them is possible with less than a certain probability (chosen to be negligible).
• Computational ZK: Distributions of simulated view and real execution are computationally
indistinguishable.

10
Zero-Knowledge Proof Paradox?

P convinces V of the validity of the statement.

Yet, V could have generated the protocol view on his own (using the simulator).

V cannot prove to a third party T that P knows the secret just by presenting its view.
T will not be convinced, since V could have generated the view on his own using the simulator,
or P and V could collude.

V only accepts the proof due to the interaction with P in the ZK proof.

11
ZERO-KNOWLEDGE PROOFS
OF LANGUAGES IN NP

12
Map 3-Coloring from Abel Prize announcement 2021 for Avi Wigderson

Norway: 3 colors USA: 4 colors ??? colors

Ø Four color theorem (conjectured in 1852, proven with Coq proof assistant in 2005):
Each 2D map can be colored with at most 4 colors.
Ø Deciding if an arbitrary 2D map can be colored with only 3 colors is NP-complete.

Goal: Prove in ZK that one knows a 3-coloring of a map.

Sources: https://youtu.be/0_NK_OkpmUY 13
Map 3-Coloring from Abel Prize announcement 2021 for Avi Wigderson

Goal: Prove in ZK that one knows a 3-coloring of a map.

1) P chooses random permutation 2) permutes the colors in her

of 3 colors, 3-coloring accordingly,

3) and puts the colors in envelopes. 4) V randomly picks two neighboring

regions to open. Sources: https://youtu.be/0_NK_OkpmUY 14
Map 3-Coloring from Abel Prize announcement 2021 for Avi Wigderson

Goal: Prove in ZK that one knows a 3-coloring of a map.

This process is repeated multiple times

until the verifier is convinced that P knows a valid 3-coloring.

Sources: https://youtu.be/0_NK_OkpmUY 15
Graph 3-Coloring

Given a graph 𝐺 = 𝑉, 𝐸 , find an assignment of 3 colors to the vertices 𝜙: 𝑉 → 0,1,2 s.t.

adjacent vertices have different colors: ∀ 𝑢, 𝑣 ∈ E ∶ 𝜙 𝑢 ≠ 𝜙(𝑣).

2 3 8

4 7

9
5

3-coloring is NP-complete
⇒ Given a ZK proof for 3-coloring, every language in NP can be proven in ZK!
16
Graph 3-Coloring (2)

P wants to prove in zero-knowledge to V that she knows a valid 3-coloring 𝜙 for graph 𝐺.

P V

𝐺, 𝜙 𝐺

choose random permutation 𝜋 over {0,1,2}

For all vertices 𝑣 ∈ 𝑉:
choose random 𝑟%
𝑐𝑜𝑚% = commit 𝜋 𝜙 𝑣 , 𝑟% 𝑐𝑜𝑚!, … , 𝑐𝑜𝑚|)|
select random edge
𝑒 = (𝑖, 𝑗) 𝑒 = (𝑖, 𝑗) ∈& 𝐸
𝑜' = open 𝑐𝑜𝑚' = 𝜋 𝜙 𝑖 , 𝑟'
𝑜! , 𝑜" ?
o* = open 𝑐𝑜𝑚* = 𝜋 𝜙 𝑗 , 𝑟* 𝜋 𝜙 𝑖 ≠𝜋 𝜙 𝑗
?
commit(𝑜' ) = 𝑐𝑜𝑚'
?
commit(𝑜* ) = 𝑐𝑜𝑚*
17
Graph 3-Coloring (3)

Completeness: If 𝜙 is a valid 3-coloring, then P can always reveal accepting values 𝜋 𝜙 𝑖 ≠

𝜋(𝜙 𝑗 ) and V will accept the proof.

Soundness: If 𝜙 is not a valid 3-coloring, then there is at least one edge 𝑒′ = 𝑖, 𝑗 ∈ 𝐸 such
that 𝜙 𝑖 = 𝜙 𝑗 . V chooses the edge in step 2 at random, so he will detect 𝑒 + with probability
!
≥ . If such an edge is chosen, it is impossible for P’s decommitted values to pass V’s
|,|
verification. If the protocol is repeated 𝑛|𝐸| times, the probability that P can cheat and remain
! $|,|
undetected is negligible: 1 − |,|
≈ 𝑒 -$ ≈ 2.718-$ .

ZK (intuition): Simulator S randomly assigns colors with coloring 𝜙 ∗ to a given graph 𝐺 and
creates commitments: For all 𝑣 ∈ 𝑉: 𝑐𝑜𝑚% = commit 𝜋 𝜙 ∗ 𝑣 , 𝑟% .
S chooses random edge 𝑒 ∗ = (𝑖, 𝑗). If 𝜙 ∗ 𝑖 = 𝜙 ∗ 𝑗 , S rewinds and starts again.
Otherwise, S sets o/ = 𝜋 𝜙 ∗ 𝑖 , 𝑟' and o0 = 𝜋 𝜙 ∗ 𝑗 , 𝑟* and outputs (𝑐𝑜𝑚!, … , 𝑐𝑜𝑚$ , 𝑒 ∗ , 𝑜' , 𝑜* ).
18
SIGMA-PROTOCOLS

19
Camenisch-Stadler Notation

The Camenisch-Stadler Notation [CamenischStadler97] describes what should be proven in

Zero-Knowledge, i.e., the ideal functionality.

Example: PK 𝜔 ∶ ℎ = 𝑔1

• Greek letters denote elements that only P might know.

These elements stay hidden from V. P’s goal is to prove their knowledge.
Here: 𝜔

• Other letters are public values known to both P and V.

Here: g and ℎ.

20
Sigma-Protocols

Sigma-protocols (= Σ-protocols): „Challenge-response“ proof of knowledge with 3 rounds:

Common input: Both P and V have public value 𝑥.

Private input: P has witness 𝜔 such that 𝑥, 𝜔 ∈ 𝑅 for relation 𝑅 to be proven.

1. P sends random-looking element 𝑎 to V.

2. V challenges P with random bit string 𝑐.
3. P responds with 𝑧. V accepts or rejects only based on the values (𝑥, 𝑎, 𝑐, 𝑧).

P V
𝑥, 𝜔 𝑎 𝑥

𝑧
21
Definition of Sigma-Protocols

Definition [Damgård10, Definition 1]: A protocol Π is said to be a Sigma-protocol for relation 𝑅 if:
1) Π is of the above 3-move form; and we have
2) Completeness: If P,V follow the protocol on public input 𝑥 and private input ω to P, where
𝑥, 𝜔 ∈ 𝑅, the verifier always accepts; and
3) Special soundness: From any 𝑥 and any pair of accepting conversations on input 𝑥,
(𝑎, 𝑐, 𝑧), (𝑎, 𝑐′, 𝑧′) where 𝑐 ≠ 𝑐′, one can efficiently compute 𝜔 such that 𝑥, 𝜔 ∈ 𝑅; and
4) Special honest-verifier zero-knowledge: There exists a polynomial-time simulator S, which
on input 𝑥 and a random 𝑐 outputs an accepting conversation of the form (𝑎, 𝑐, 𝑧), with the
same probability distribution as conversations between the honest P,V on input 𝑥.
22
Schnorr’s DLOG Protocol [Schnorr89]

Public input: 𝐺, 𝑞, 𝑔 is a cyclic group of prime order 𝑞 generated by 𝑔 in which the DLOG
problem is hard; statistical security parameter 𝜎 ≤ |𝑞|; public key ℎ.
Goal: Prove knowledge of private key 𝜔: PK 𝜔 ∶ ℎ = 𝑔1 .

P V
𝐺, 𝑞, 𝑔 , ℎ = 𝑔& , 𝜔 (𝐺, 𝑞, 𝑔), ℎ
𝑟 ∈ $ ℤ' 𝑎 = 𝑔#
%
𝑐 ∈$ 0,1

𝑧 = 𝑟 + 𝜔𝑐 mod 𝑞 ?
𝑔 ( = 𝑎 ⋅ ℎ)

Completeness: 𝑔 ( = 𝑔#*&) = 𝑔# 𝑔& )

= 𝑎 ⋅ ℎ)
23
Schnorr’s DLOG Protocol

Proof of knowledge:
• Assume P can answer two different challenges 𝑐 ≠ 𝑐 + with 𝑧 and 𝑧′ for the same 𝑎
" "
• Then, 𝑔 2 = 𝑎 ⋅ ℎ3 and 𝑔 2 = 𝑎 ⋅ ℎ3 .
" " " "
• Thus, 𝑎 = 𝑔 2 ⋅ ℎ-3 = 𝑔 2 ⋅ ℎ-3 and 𝑔 2-2 = ℎ3-3 .
• 𝑐, 𝑧, 𝑐 + , 𝑧 + are known from the protocol
• DLOG4 ℎ = 𝜔 = 𝑧 − 𝑧 + /(𝑐 − 𝑐 + ) mod 𝑞

Conclusion: If P can answer with probability greater than 2-5 then P must know DLOG 𝜔.

This also means: In practice P should make sure to choose a different 𝑎 every time!

24
Schnorr’s DLOG Protocol is a Sigma-Protocol

Completeness: as before.
Special soundness: There exists a knowledge extractor E that given any 𝑥 and pair of
𝑎, 𝑐, 𝑧 and (𝑎, 𝑐′, 𝑧 + ) with 𝑐 ≠ 𝑐 + outputs 𝜔 such that 𝑥, 𝜔 ∈ 𝑅.
Knowledge extractor E for Schnorr’s DLOG protocol:
• Input: x = ((𝐺, 𝑞, 𝑔), ℎ), 𝑎, 𝑐, 𝑧 , (𝑎, 𝑐′, 𝑧′) with 𝑐 ≠ 𝑐′
• Output: 𝜔 = 𝑧 − 𝑧 + /(𝑐 − 𝑐 + ) mod 𝑞
Special honest-verifier ZK: There exists a simulator S that on input 𝑥 and 𝑐 ∈& 0,1 5 outputs an
accepting conversation (𝑎, 𝑐, 𝑧) with the same distribution as a real execution where V sends 𝑐.
Simulator S for Schnorr’s DLOG protocol:
• Input: x = ((𝐺, 𝑞, 𝑔), ℎ), 𝑐
• Choose random last message 𝑧 ∈& ℤ6
• Compute first message 𝑎 = 𝑔 2 /ℎ3
• Output (𝑎, 𝑐, 𝑧)
25
COMPOSITION OF SIGMA-PROTOCOLS

26
Parallel Composition and Adjusting Challenge Lengths in 𝚺-Protocols

Lemma 1 from [Damgård10]: The properties of Sigma-protocols are invariant under parallel
composition, for instance repeating a Sigma-protocol for relation 𝑅 twice in parallel produces a
new Sigma-protocol for 𝑅 with challenge length 2𝜎.

Lemma 2 from [Damgård10]: If a Sigma-protocol for 𝑅 exists, then there exists a Sigma-protocol
for 𝑅 with arbitrary challenge length 𝜎.

Proof. Let 𝜎′ be the challenge length for the given Sigma-protocol Π.

Then any challenge length 𝜎 < 𝜎′ can be implemented as follows: P sends the first message 𝑎
"
as in Π. V sends a random 𝜎-bit string 𝑐. P sets 𝑐 + = 𝑐 || 05 -5 and computes the answer 𝑧 to 𝑐′
as in Π. V checks 𝑧 as in Π with challenge 𝑐‘.
Any challenge length 𝜎 > 𝜎′ can be implemented by first repeating the given protocol in parallel
𝑗 times, such that 𝑗 ⋅ 𝜎 + ≥ 𝜎, and then possibly adjusting down to 𝜎 as above.

27
AND Proofs

AND of multiple statements 𝑆' :

PK 𝜔 : 𝑆! ∧ ⋯ ∧ 𝑆$
Run all Sigma-protocols in parallel with the same challenge 𝑐.

28
Example for AND Proof

PK 𝜔 ∶ ℎ7 = 𝑔71 ∧ ℎ! = 𝑔!1 (This can be used to prove Diffie-Hellman Tuples, see exercise.)
𝐺 = 𝑔 is a group of prime order 𝑞 where the DDH problem is hard.
This particular AND proof is sometimes called EQ, since both statements use the same 𝜔.

P V
𝐺, 𝑞, 𝑔 , 𝑔7, 𝑔!, ℎ7 = 𝑔71 , ℎ! = 𝑔!1 , 𝜔 𝐺, 𝑞, 𝑔 , 𝑔7, 𝑔!, ℎ7, ℎ!

𝑟 ∈& ℤ6 𝑎7 = 𝑔78 , 𝑎! = 𝑔!8

𝑐 ∈& 0,1 5

𝑧 = 𝑟 + 𝜔𝑐 mod 𝑞 ?
𝑔'2 = 𝑎' ⋅ ℎ'3 for 𝑖 ∈ {0,1}
Completeness: as before.
29
OR Proofs

OR of multiple statements (at least 1 out of 𝑛 statements 𝑆' is true):

PK 𝜔 ∶ 𝑆! ∨ ⋯ ∨ 𝑆$
Prove that at least one statement is true, without revealing which one.
Main idea: If 𝑐' is known ahead of time, P can cheat in the proof of 𝑆' by running the simulator.
⇒ P is allowed to cheat in 𝑛 − 1 of the sub-proofs by simulating them.
Example for 𝑛 = 2 (can be generalized to 𝑛 > 2 statements): PK 𝜔7, 𝜔! ∶ 𝑆7(𝜔7) ∨ 𝑆!(𝜔!)

P V
𝑥, 𝜔 𝑥
run simulator for statement
where witness is not known 𝑎7, 𝑎!
𝑐 ∈& 0,1 5
𝑐7 ⊕ 𝑐! = 𝑐
complete Sigma-protocols
𝑐7, 𝑐!, 𝑧7, 𝑧! ?
for statement where 𝑐 = 𝑐7 ⊕ 𝑐!
witness is known check 𝑎' , 𝑐' , 𝑧' for 𝑖 ∈ {0,1} 30
OR Proofs (cont.)

OR of 2 statements PK 𝜔7, 𝜔! ∶ 𝑆7(𝜔7) ∨ 𝑆!(𝜔!) :

Case 1 - P knows both 𝜔7 and 𝜔!:
P runs two separate regular Sigma-protocols and can use
random 𝑐7 and 𝑐! such that 𝑐7 ⊕ 𝑐! = 𝑐 that is sent by V.
Case 2 - P knows 𝜔!-' but not 𝜔' :
P runs simulator for 𝑆' to get 𝑎' , 𝑐' , 𝑧' before she sends her first message. This fixes 𝑐' .
V’s choice of c now determines 𝑐!-' = 𝑐 ⊕ 𝑐' .
Case 3 – P knows neither 𝜔7 nor 𝜔!:
To get valid protocol views, P must run the simulators before sending the first message.
P cannot change 𝑐' since her first message „committed“ her to the corresponding 𝑎' .
This forces at least one of the final checks of V to fail:
either c ≠ 𝑐7 ⊕ c! or one of the checks 𝑎' , 𝑐' , 𝑧' for 𝑖 ∈ 0,1 fails.

31
𝒕-out-of-𝒏 Proofs [CramerDS94]

𝑛
Prove 𝒕-out-of-𝒏 statements 𝑆' without revealing which ones are true: PK 𝜔 ∶ (𝑆!, … , 𝑆$ ) .
𝑡
Let 𝐴 be the set of indices of statements that P knows and 𝐴̅ the ones she does not know.
P V
𝑥, 𝜔 𝑥
• for every 𝑖 ∈ 𝐴,̅ generate 𝑎' , 𝑐' , 𝑧'
using simulator S.
• for every 𝑗 ∈ 𝐴, generate 𝑎* as first
message from the corresponding
𝑎+ , … , 𝑎,
Σ-protocol.
𝑐 ∈$ ℱ
• Interpolate polynomial 𝑓 of degree
𝑛 − 𝑡 through points 𝑖, 𝑐' for 𝑖 ∈ 𝐴̅
and (0, 𝑐).
• For 𝑗 ∈ 𝐴:
• 𝑐* = 𝑓(𝑗) check that 𝑓 has degree 𝑛 − 𝑡
𝑓, 𝑧+ , … , 𝑧,
• compute 𝑧* from the and 𝑓 0 = 𝑐; For 𝑖 ∈ 1, … , 𝑛 :
corresponding Σ-protocol with 𝑐* . check (𝑎' , 𝑐' = 𝑓(𝑖), 𝑧' ). 32
ZK AND NON-INTERACTIVE ZK
FROM SIGMA-PROTOCOLS

33
ZK from Sigma-Protocols

Sigma-protocols assume an honest verifier, i.e., V must choose the challenge 𝑐 independent of
P’s first message 𝑎.
To turn a Sigma-protocol into a ZK proof, V first commits to the challenge 𝑐 before seeing 𝑎.

P V

com=commit(𝑐)
𝑎

open com

34
 Non-Interactive ZK for Sigma-Protocols [FiatShamir86, BernhardPW12]

The Fiat-Shamir heuristic turns a Sigma-protocol into a non-interactive ZK proof in the ROM.
For this, we use a random oracle 𝐻 (instantiated with a cryptographic hash function in practice) to
generate the challenge from the first message 𝑎 in the Sigma-protocol.
Example: PK 𝜔 ∶ ℎ = 𝑔1 , where 𝐺 = 𝑔 is a group of prime order 𝑞 where DLOG is hard.

P V
𝐺, 𝑞, 𝑔 , ℎ = 𝑔1 , 𝜔 (𝐺, 𝑞, 𝑔), ℎ

𝑟 ∈& ℤ6
𝑎 = 𝑔8
𝒄 = 𝑯 𝒈, 𝒂, 𝒉
𝑧 = 𝑟 + 𝜔𝑐 mod 𝑞 𝑎, 𝑧 𝒄 = 𝑯 𝒈, 𝒂, 𝒉
?
𝑔 2 = 𝑎 ⋅ ℎ3

• In contrast to the interactive ZK protocols shown before, this one allows for public verification.
• Additionally, a message can be concatenated to the input of 𝐻 to yield a signature scheme. 35
Bibliography

[BernhardPW12] D. Bernhard, O. Pereira, B. Warinschi. How not to prove yourself: pitfalls of the
Fiat-Shamir heuristic and applications to Helios. In ASIACRYPT’12.
[CramerDS94] R. Cramer, I. Damgård, B. Schoenmakers. Proofs of partial knowledge and
simplified design of witness hiding protocols. In CRYPTO‘94.
[CamenischStadler97] Efficient group signature schemes for large groups. In CRYPTO‘97.
[Damgård10] I. Damgård. On Σ-protocols. http://www.cs.au.dk/~ivan/Sigma.pdf
[FiatShamir86] A. Fiat, A. Shamir. How to prove yourself: practical solutions to identification and
signature problems. In CRYPTO‘86.
[Schnorr89] C. P. Schnorr. Efficient identification and signatures for smart cards. In CRYPTO‘89.

36
THANKS FOR YOUR ATTENTION!

37
BONUS MATERIAL

38
Graph Isomorphism

Let 𝐺 = (𝑉9 , 𝐸9 ) and 𝐻 = (𝑉: , 𝐸: ) be two graphs with sets of vertices 𝑉9 and 𝑉: ( V; = V< ) and
sets of edges 𝐸9 and 𝐸: ( E; = E< ).

An isomorphism of 𝐺 and 𝐻 is a permutation 𝜑: 𝑉9 → 𝑉: s.t. 𝑥, 𝑦 ∈ 𝐸9 ⇔ 𝜑 𝑥 , 𝜑 𝑦 ∈ 𝐸:

Graph Isomorphism Problem (GIP): Given 𝐺 and 𝐻, decide whether 𝜑 exists.

0 1 A 0 A A
1 D
B C B C
2 C
2 3
D 3 B D

GIP Î NP: Given only 𝐺 and 𝐻, existence of 𝜑 is „hard“ to decide. But, given 𝜑, „easy“ to verify.
Hence, 𝜑 is a proof that G and H are isomorphic.

However, it is currently not known whether GIP is in P, if it is NP-complete, or neither.

39
Graph Isomorphism (2)

Let 𝐺7 and 𝐺! be two isomorphic graphs: 𝐺! = 𝜑 𝐺7 , 𝐺7 = 𝜑 -! 𝐺! .

P knows the isomorphism 𝜑 between 𝐺7 and G! and wants to convince V that she knows 𝜑
without revealing it. 𝜑 is a witness for the isomorphism of 𝐺7 and 𝐺!.

P V

𝐺7, 𝐺!, 𝜑 𝐺7, 𝐺!

choose random permutation 𝜑 + , 𝐶 = 𝜑 + 𝐺=

𝑝 ∈& {0,1}
𝑣 𝑣 ∈& {0,1}

if 𝑝 = 𝑣: 𝜑 ++ = 𝜑′
𝜑′′
if 𝑝 = 0, 𝑣 = 1: 𝜑 ++ = 𝜑 + • 𝜑 -! ?
if 𝑝 = 1, 𝑣 = 0: 𝜑 ++ = 𝜑 + • 𝜑 𝜑 ++ (𝐺% ) =𝐶

Completeness: if p = 𝑣: 𝜑## 𝐺$ = 𝜑# 𝐺% = 𝐶; if 𝑝 = 0, 𝑣 = 1: 𝜑## 𝐺$ = 𝜑# ⋅ 𝜑&' 𝐺' = 𝜑# 𝐺( = 𝐶;

if 𝑝 = 1, 𝑣 = 0: 𝜑## 𝐺$ = 𝜑# ⋅ 𝜑 𝐺( = 𝜑# 𝐺' = 𝐶.
40
Graph Isomorphism (3)

Soundness: If 𝐺7 and 𝐺! are not isomorphic, then 𝐶 = 𝜑′(𝐺= ) is isomorphic to 𝐺= , but not to 𝐺=̅ .
V will accept for 𝑝 = 𝑣, but not for p ≠ 𝑣. Since 𝑣 is chosen at random, the probability that V
!
accepts is at least ½. After 𝑛 repetitions V is convinced with probability 1 − "!.

cheating prover P* E knowledge extractor

(has black-box access
choose random permutation 𝜑 + , 𝐶= 𝜑+ 𝐺7 to P* and can rewind)
let p = 0 (p = 1 works similarly)
𝑣=0
if 𝑝 = 𝑣 = 0: 𝜑7++ = 𝜑′ 𝜑7++

𝑣=1 rewind P* to step 1

if 𝑝 = 0, 𝑣 = 1: 𝜑!++ = 𝜑 + • 𝜑 -! 𝜑!++
if both accept, then 𝜑7++ 𝐺7 = 𝐶
= 𝜑!++ 𝐺! and we can extract
𝜑 = (𝜑!++ )-! ⋅ 𝜑7++ = 𝜑 + ⋅ 𝜑 -! -! ⋅ 𝜑 +
Contradiction: If 𝐺7 and 𝐺! are not isomorphic, then 𝜑 does not exist.
41
Graph Isomorphism (4)

Zero-Knowledge: Simulator S for honest V:

1. choose random permutation 𝜑 ∗ and random 𝒗∗ ∈𝑹 {𝟎, 𝟏}
2. compute 𝐶 ∗ = 𝜑 ∗ 𝐺%∗
3. output (𝐶 ∗ , 𝑣 ∗ , 𝜑 ∗ )
If 𝐺7 and 𝐺! are isomorphic, then the output 𝐶 ∗ , 𝑣 ∗ , 𝜑 ∗ of the simulator S is distributed exactly the
same as the view (𝐶, 𝑣, 𝜑′′) in the real protocol. This yields honest verifier zero-knowledge.
Simulator S* for arbitrary V*:
1. choose random permutation 𝜑 ∗ and bit 𝑝∗ ∈& {0,1}

2. compute C ∗ = 𝜑 ∗ 𝐺=∗ and let 𝑣 ∗ = v(𝐺7, 𝐺!, 𝐶 ∗ ) be the bit chosen by V*

3. if 𝑝∗ = 𝑣 ∗ output (𝐶 ∗ , 𝑣 ∗ , 𝜑 ∗ ), else restart from step 1.
If 𝐺7 and 𝐺! are isomorphic, then S* runs in expected polynomial time and its output is distributed
exactly the same as in the real protocol. This yields perfect zero-knowledge.
Proofs: see §2 in http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
42