Scribd
Upload
12 views129 pages

2024 CS783 Lecture15 A

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views129 pages

2024 CS783 Lecture15 A

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 129

CS783: Theoretical Foundations of Cryptography

Lecture 15 (01/Oct/24)

Instructor: Chethan Kamath


Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

1 / 16
Recall from Last Lecture...

Interactive proof (IP)


Compared to traditional “�� ” proof
IP is powerful: IP for ���
Zero-knowledge proof
Knowledge vs. information
Modelled “zero knowledge” via simulation paradigm
Honest-verifier ZKP for ��� (Exercise 3: ���)

Honest-verifier ZKP for �� (Exercise 4: ��)


1 / 16
(ZK)IPs are Useful!

Applications of IP: Verifiable outsourcing

T'

2 / 16
(ZK)IPs are Useful!

Applications of IP: Verifiable outsourcing

T'

Applications of ZKP:
Cryptocurrency: prove validity of a transaction without
revealing information

Digital signatures: next lecture

2 / 16
(ZK)IPs are Useful!

Applications of IP: Verifiable outsourcing

T'

Applications of ZKP:
Cryptocurrency: prove validity of a transaction without
revealing information

Digital signatures: next lecture


NIST is currently standardising ZKP (projects/pec/zkproof)

2 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

3 / 16
Plan for Today’s Lecture...

Malicious-verifier ZKP for ��


ZKP for all of ��
Blum’s protocol for Graph Hamiltonicity (��)
Given a graph � , decide whether it has a Hamiltonian cycle

Commitment scheme
Digital analogues of lockers
OWP → (non-interactive) commitment scheme

3 / 16
Plan for Today’s Lecture

1 Malicious-Verifier ZKP for Graph Isomorphism

2 (Computational) ZKP for ��

3 Commitment Scheme

3 / 16
Plan for Today’s Lecture

1 Malicious-Verifier ZKP for Graph Isomorphism

2 (Computational) ZKP for ��

3 Commitment Scheme

3 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼
= � then �� ∼
=�

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Observation: transitivity of isomorphism
�� ∼
= �� ⇒ if �� ∼= � then �� ∼
=�
Protocol 1 (�� = (�, � ): IP for GI)

1 � “commits” by sending a random � s.t. �� ∼ =�


2 For � ← {� , � }, � challenges � to “reveal” �� ∼
=�
3 � accepts if the revealed permutation is valid

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�
Zero knowledge: sample out of order (info. vs knowledge)

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�
Zero knowledge: sample out of order (info. vs knowledge)

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�
Zero knowledge: sample out of order (info. vs knowledge)

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�
Zero knowledge: sample out of order (info. vs knowledge)

4 / 16
Recall ��: Honest-Verifier ZK for ��...
Theorem 1
�� is a honest-verifier perfect zero-knowledge IP for L��

Proof.
Completeness: �� ∼
= �� ⇒ � can reveal on either challenge ⇒
� always accepts ⇒ ε� = �
Soundness: � ∼
�̸ � ⇒ for any � , � ∼
= � = � and � ∼
� =�

cannot both hold ⇒ best �∗ can do is guess � ⇒ ε� = �/�
Zero knowledge: sample out of order (info. vs knowledge)

4 / 16
What about Malicious Verifiers?

Defintion 1 ((Malicious-Verifier) Perfect ZK)


An IP Π is perfect ZK for L if for every � ∗ there exists a PPT
simulator ���� such that for all distinguishers � and all � ∈ L,

the following is zero

Pr[�(View�∗ (⟨�, � ∗ ⟩(� ))) = � ] − Pr[�(���� (� )) = � ]


5 / 16
What about Malicious Verifiers?

Defintion 1 ((Malicious-Verifier) Perfect ZK)


An IP Π is perfect ZK for L if for every � ∗ there exists a PPT
simulator ���� such that for all distinguishers � and all � ∈ L,

the following is zero

Pr[�(View�∗ (⟨�, � ∗ ⟩(� ))) = � ] − Pr[�(���� (� )) = � ]


5 / 16
What about Malicious Verifiers?

Defintion 1 ((Malicious-Verifier) Perfect ZK)


An IP Π is perfect ZK for L if for every � ∗ there exists a PPT
simulator ���� such that for all distinguishers � and all � ∈ L,

the following is zero

Pr[�(View�∗ (⟨�, � ∗ ⟩(� ))) = � ] − Pr[�(���� (� )) = � ]


5 / 16
What about Malicious Verifiers?

Defintion 1 ((Malicious-Verifier) Perfect ZK)


An IP Π is perfect ZK for L if for every � ∗ there exists a PPT
simulator ���� such that for all distinguishers � and all � ∈ L,

the following is zero

Pr[�(View�∗ (⟨�, � ∗ ⟩(� ))) = � ] − Pr[�(���� (� )) = � ]


What happens if we use honest-verifier simulator ��� now?

5 / 16
What about Malicious Verifiers?

Defintion 1 ((Malicious-Verifier) Perfect ZK)


An IP Π is perfect ZK for L if for every � ∗ there exists a PPT
simulator ���� such that for all distinguishers � and all � ∈ L,

the following is zero

Pr[�(View�∗ (⟨�, � ∗ ⟩(� ))) = � ] − Pr[�(���� (� )) = � ]


What happens if we use honest-verifier simulator ��� now?


The distribution of � generated by �∗ may not be uniform
It could depend arbitrarily on � ’s message �

5 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK)

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK)

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK) Idea: ��� invokes �∗ !

���� : repeat till required



New simulator
1 Sample random � ∼ = �� for � ∗ ← {�, �}

2 Invoke � on � to obtain challenge � (with fresh random coins)


3 If � ∗ = � output ((�� , �� ), (� , � , ψ))

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK) Idea: ��� invokes �∗ !

���� : repeat till required



New simulator
1 Sample random � ∼ = �� for � ∗ ← {�, �}

2 Invoke � on � to obtain challenge � (with fresh random coins)


3 If � ∗ = � output ((�� , �� ), (� , � , ψ))

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK) Idea: ��� invokes �∗ !

���� : repeat till required



New simulator
1 Sample random � ∼ = �� for � ∗ ← {�, �}

2 Invoke � on � to obtain challenge � (with fresh random coins)


3 If � ∗ = � output ((�� , �� ), (� , � , ψ))

6 / 16
�� Works Also For Malicious Verifiers!...

Theorem 2
�� is a malicious-verifier perfect ZKP for L��

Proof (of ZK) Idea: ��� invokes �∗ !

���� : repeat till required



New simulator
1 Sample random � ∼ = �� for � ∗ ← {�, �}

2 Invoke � on � to obtain challenge � (with fresh random coins)


3 If � ∗ = � output ((�� , �� ), (� , � , ψ))

6 / 16
�� Works Also For Malicious Verifiers!...

Why is � independent of �∗ ?

6 / 16
�� Works Also For Malicious Verifiers!...

Why is � independent of �∗ ? � hides �∗


���� ?

What is the run-time of the new simulator

6 / 16
�� Works Also For Malicious Verifiers!...

Why is � independent of �∗ ? � hides �∗


���� ?

What is the run-time of the new simulator
In expectation: polynomial time
Worst case: exponential time
Exercise 1
Can you come up with a strict PPT simulator?

6 / 16
�� Works Also For Malicious Verifiers!...

Why is � independent of �∗ ? � hides �∗


���� ?

What is the run-time of the new simulator
In expectation: polynomial time
Worst case: exponential time
Exercise 1
Can you come up with a strict PPT simulator?

Exercise 2
1 Design malicious-verifier perfect ZKP for L��
2 Think about malicious-verifier perfect ZKP for L���
Hint: you need to somehow use �� as sub-routine
6 / 16
Plan for Today’s Lecture

1 Malicious-Verifier ZKP for Graph Isomorphism

2 (Computational) ZKP for ��

3 Commitment Scheme

6 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

7 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

Construction 1 (Π� = (�� , �� ) → Π = (�, � ))

1 Encode� ∈ L by Karp-reducing to �� ∈ L�
2 Use ZKP for L� on ��

7 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

Construction 1 (Π� = (�� , �� ) → Π = (�, � ))

1 Encode� ∈ L by Karp-reducing to �� ∈ L�
2 Use ZKP for L� on ��

7 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

Construction 1 (Π� = (�� , �� ) → Π = (�, � ))

1 Encode� ∈ L by Karp-reducing to �� ∈ L�
2 Use ZKP for L� on ��

7 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

Construction 1 (Π� = (�� , �� ) → Π = (�, � ))

1 Encode� ∈ L by Karp-reducing to �� ∈ L�
2 Use ZKP for L� on ��

7 / 16
ZKP for Any Problem in ��
Claim 1
ZKP for an ��-complete language L� implies ZKP for any L ∈ ��

Construction 1 (Π� = (�� , �� ) → Π = (�, � ))

1 Encode� ∈ L by Karp-reducing to �� ∈ L�
2 Use ZKP for L� on ��

Exercise 3
Show that if Π� is a ZKP for L� then Π is a ZKP for L
7 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Let’s recall/rephrase Π�� :
Honest � “commits” to �� and �� by sending � = σ (��)

8 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Let’s recall/rephrase Π�� :
Honest � “commits” to �� and �� by sending � = σ (�� )
Soundness: commitment � is “perfectly binding” if �� ≁= �� ⇒
malicious � ∗ can commit to only one of �� or �� in advance

8 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Let’s recall/rephrase Π�� :
Honest � “commits” to �� and �� by sending � = σ (�� )
Soundness: commitment � is “perfectly binding” if �� ≁= �� ⇒
malicious � ∗ can commit to only one of �� or �� in advance
ZK: commitment is “perfectly hiding” if �� ∼
= �� ⇒ � hides
information about �� /��

8 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Let’s recall/rephrase Π�� :
Honest � “commits” to �� and �� by sending � = σ (�� )
Soundness: commitment � is “perfectly binding” if �� ∼ ̸= �� ⇒
malicious � ∗ can commit to only one of �� or �� in advance
ZK: commitment is “perfectly hiding” if �� ∼
= �� ⇒ � hides
information about �� /��
Possible because of ��’s structure: isomorphisms are transitive

8 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Let’s recall/rephrase Π�� :
Honest � “commits” to �� and �� by sending � = σ (�� )
Soundness: commitment � is “perfectly binding” if �� ∼ ̸= �� ⇒
malicious � ∗ can commit to only one of �� or �� in advance
ZK: commitment is “perfectly hiding” if �� ∼
= �� ⇒ � hides
information about �� /��
Possible because of ��’s structure: isomorphisms are transitive

Physical analogy: � acts as a secure “locker”


1 Hides its contents from the verifier �
2 Binds � ∗ by forcing it to store either �� or �� before seeing
challenge �
8 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �

9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Observation: � Hamiltonian and �∼
= � then � Hamiltonian
Protocol 2 (�� = (�, � ): First attempt at ZKP for ��)

1 � samples random permutation σ and puts it in locker �


2 � commits by sending � and � := σ (� ) to �
3 � challenges � to reveal � ) σ by opening � or � ) Hamiltonian
cycle σ (ψ) in �
Problem: not clear if zero knowledge. How to simulate?
9 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

10 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

1 � samples random permutation σ and sets � := σ (� )

10 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

1 � samples random permutation σ and sets � := σ (� )


2 � commits by sending σ and � := σ (� ) in lockers to �
Lockers (� � , .. . , � � ), where � � stores σ (� )
Lockers � � ,� (� ,� )∈(� ) store � ’s adjacency matrix

10 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

1 � samples random permutation σ and sets � := σ (� )


2 � commits by sending σ and � := σ (� ) in lockers to �
Lockers (� � , .. . , � � ), where � � stores σ (� )
Lockers � � ,� (� ,� )∈(� ) store � ’s adjacency matrix

3 � challenges � to reveal either � ) all lockers; or �) lockers


�� ,� , �� ,� , · · · , �ℓ,� corresponding to Ham. cycle σ (ψ) in �

10 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

1 � samples random permutation σ and sets � := σ (� )


2 � commits by sending σ and � := σ (� ) in lockers to �
Lockers (� � , .. . , � � ), where � � stores σ (� )
Lockers � � ,� (� ,� )∈(� ) store � ’s adjacency matrix

3 � challenges � to reveal either � ) all lockers; or �) lockers


�� ,� , �� ,� , · · · , �ℓ,� corresponding to Ham. cycle σ (ψ) in �

10 / 16
Let’s Construct ZKP for Graph Hamiltonicity...
Protocol 3 (Π′�� = (�, � ): Blum’s IP for ��)

1 � samples random permutation σ and sets � := σ (� )


2 � commits by sending σ and � := σ (� ) in lockers to �
Lockers (� � , .. . , � � ), where � � stores σ (� )
Lockers � � ,� (� ,� )∈(� ) store � ’s adjacency matrix

3 � challenges � to reveal either � ) all lockers; or �) lockers


�� ,� , �� ,� , · · · , �ℓ,� corresponding to Ham. cycle σ (ψ) in �
4 � accepts if �) � = σ (� ) or � ) �� ,� , �� ,� , · · · , �ℓ,� correspond to
a Ham. cycle.
10 / 16
Π′�� is Computational ZKP for Graph Hamiltonicity...
Soundness: locker binding ⇒ Π′�� is sound
Zero-knowledge: locker “computationally” hides its content ⇒
Π′�� is honest-verifier computational zero-knowledge for L��

11 / 16
Π′�� is Computational ZKP for Graph Hamiltonicity...
Soundness: locker binding ⇒ Π′�� is sound
Zero-knowledge: locker “computationally” hides its content ⇒
Π′�� is honest-verifier computational zero-knowledge for L��

Simulator: again, sample out of order


1 Sample random � ← {�, �}
2 If � = �
Sample random permutation σ and set � := σ (� )
Prepare lockers (��, . . . , ��) and �� ,� (� ,� )∈(� ) as in protocol

11 / 16
Π′�� is Computational ZKP for Graph Hamiltonicity...
Soundness: locker binding ⇒ Π′�� is sound
Zero-knowledge: locker “computationally” hides its content ⇒
Π′�� is honest-verifier computational zero-knowledge for L��

Simulator: again, sample out of order


1 Sample random � ← {�, �}
2 If � = �
Sample random permutation σ and set � := σ (� )
Prepare lockers (��, . . . , ��) and �� ,� (� ,� )∈(� ) as in protocol

3 If �=�
Sample random cycle � over [�, �]
Leave lockers
 (��, . . . , ��) empty and store � ’s adjacency matrix
in �� ,� (� ,� )∈(� )

11 / 16
Π′�� is Computational ZKP for Graph Hamiltonicity...

Exercise 4
Describe the simulator for malicious-verifier ZK for Π′��

Exercise 5
Think of ZKP for other ��-complete problems like � × � Sudoku
and graph three-colouring

11 / 16
Plan for Today’s Lecture

1 Malicious-Verifier ZKP for Graph Isomorphism

2 (Computational) ZKP for ��

3 Commitment Scheme

11 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

Correctness: for all � ∈ N and inputs � ∈ {�, �}ℓ :

Computational hiding: � reveals no information about � to


PPT adversaries

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

Correctness: for all � ∈ N and inputs � ∈ {�, �}ℓ :

Computational hiding: � reveals no information about � to


PPT adversaries
Perfect binding: for any � ∈ {� , � }∗ , there do not exist
openings �� , �� ∈ {� , � }∗ such that �(� , �� ) ̸= �(� , �� )

12 / 16
Commitment Schemes are Digital Lockers

Defintion 2
A (non-interactive) commitment scheme is a pair of algorithms (�, �)
with the following syntax:

Correctness: for all � ∈ N and inputs � ∈ {�, �}ℓ :

Computational hiding: � reveals no information about � to


PPT adversaries
Perfect binding: for any � ∈ {� , � }∗ , there do not exist
openings �� , �� ∈ {� , � }∗ such that �(� , �� ) ̸= �(� , �� )

In general the commit phase can be interactive


12 / 16
How to Construct Commitment Schemes?...
Construction 2 (PKE Π = (���, ���, ���) → commitment scheme Σ)

13 / 16
How to Construct Commitment Schemes?...
Construction 2 (PKE Π = (���, ���, ���) → commitment scheme Σ)

What are the properties we require from Π?

13 / 16
How to Construct Commitment Schemes?...
Construction 2 (PKE Π = (���, ���, ���) → commitment scheme Σ)

What are the properties we require from Π?


1 Recognise honestly sampled �� s
2 Ciphertext-indistinguishability ⇒ hiding
3 Perfect correctness of decryption ⇒ binding

13 / 16
How to Construct Commitment Schemes?...
Construction 2 (PKE Π = (���, ���, ���) → commitment scheme Σ)

What are the properties we require from Π?


1 Recognise honestly sampled �� s
2 Ciphertext-indistinguishability ⇒ hiding
3 Perfect correctness of decryption ⇒ binding

Exercise 6
Which of the PKEs we have seen satisfy the above properties?
13 / 16
How to Construct Commitment Schemes?...
Construction 3 (OWP f� : {� , � }� → {� , � }� → bit-commitment Σ)

Recall: every (leaky) f� has hard-core predicate


hc : {� , � }� → {� , � }

14 / 16
How to Construct Commitment Schemes?...
Construction 3 (OWP f� : {� , � }� → {� , � }� → bit-commitment Σ)

Recall: every (leaky) f� has hard-core predicate


hc : {� , � }� → {� , � }

Security of hard-core predicate hc ⇒ computational hiding


f permutation ⇒ perfect binding

14 / 16
How to Construct Commitment Schemes?...
Construction 3 (OWP f� : {� , � }� → {� , � }� → bit-commitment Σ)

Recall: every (leaky) f� has hard-core predicate


hc : {� , � }� → {� , � }

Security of hard-core predicate hc ⇒ computational hiding


f permutation ⇒ perfect binding
Exercise 7
1 Formally describe the construction, and write down the proof
2 Given a bit-commitment, construct a commitment for {� , � }ℓ
14 / 16
How to Construct Commitment Schemes?...
Construction 3 (OWP f� : {� , � }� → {� , � }� → bit-commitment Σ)

Recall: every (leaky) f� has hard-core predicate


hc : {� , � }� → {� , � }

Security of hard-core predicate hc ⇒ computational hiding


f permutation ⇒ perfect binding

14 / 16
How to Construct Commitment Schemes?...
Construction 3 (OWP f� : {� , � }� → {� , � }� → bit-commitment Σ)

Recall: every (leaky) f� has hard-core predicate


hc : {� , � }� → {� , � }

Security of hard-core predicate hc ⇒ computational hiding


f permutation ⇒ perfect binding
Exercise 7
1 Formally describe the construction, and write down the proof
2 Given a bit-commitment, construct a commitment for {� , � }ℓ
14 / 16
To Recap Today’s Lecture

Malicious-verifier perfect ZKP for ��


Simulator was expected polynomial-time
Takeaway: Out of order sampling of transcript

15 / 16
To Recap Today’s Lecture

Malicious-verifier perfect ZKP for ��


Simulator was expected polynomial-time
Takeaway: Out of order sampling of transcript

Computational ZKP for ��


Blum’s protocol for Graph Hamiltonicity
What about perfect/statistical ZKP for �� ?
Not possible (unless polynomial hierarchy collapses)!

15 / 16
To Recap Today’s Lecture

Malicious-verifier perfect ZKP for ��


Simulator was expected polynomial-time
Takeaway: Out of order sampling of transcript

Computational ZKP for ��


Blum’s protocol for Graph Hamiltonicity
What about perfect/statistical ZKP for �� ?
Not possible (unless polynomial hierarchy collapses)!

Commitment schemes
Non-interactive constructions from PKE and OWP
Two-message construction from PRG ← OWF

15 / 16
Next Lecture

Proofs of knowledge (PoK)


PoK for the discrete-logarithm problem: Schnorr’s protocol
Fiat-Shamir Transform
Digital signatures from discrete-logarithm problem in the
random-oracle model

16 / 16
References

1 [Gol01, Chapter 4] for details of today’s lecture


2 [GMR89] for definitional and philosophical discussion on ZK
3 The ZKP for graph Hamiltonicity is due to Blum [Blu86]
4 The constructions of commitment scheme from OWP and PRG
is from [GMW91] and [Nao90]

16 / 16

You might also like