The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University

The Complexity of Zero-Knowledge Proofs

Salil Vadhan

Harvard University

A Successful Marriage

Complexity Theory:Which problems are

“computationally hard”to solve?

Cryptography:Design protocols that are

“computationally hard”to break.

hard problems,techniques

revisit notions,adversarial view

Two Areas of Interaction

• Pseudorandomness:generating objects that “look random” despite being constructed with little or no randomness.– Cryptography: many unpredictable bits from short key– Complexity: power of randomized algs (RP vs. P, RL vs. L)

• Zero-knowledge proofs:interactive proofs that reveal nothing other than validity of assertion being proven– Cryptography: central in study of crypto protocols– Complexity: augments NP $ “efficiently verifiable proofs”

This Talk

Complexity-theoretic study of zero-knowledge proofs:

• Characterize the expressiveness of ZK.

• Prove general theorems about ZK.

• Minimize or eliminate complexity assumptions.

YES NO

0,1 *

Promise Problemexcluded inputs

Promise Problems [ESY84]

• P = { : can decide if x2Y or x2N in poly(|x|) time}

= “feasible problems”

YES NO

0,1 *

Language

3-COLORING

• Given: a map MDecide: can it be colored w/3 colors s.t. no two adjacent countries have the same color?

• Formally: Y = { maps M : M is 3-colorable}N = { maps M : M is not 3-colorable}

• Fastest known algorithm: 2O(n)

http://www.ctl.ua.edu/math103/

3-COLORING

• Given: a graph GDecide: can it be colored w/3 colors s.t. no two adjacent vertices have the same color?

• Formally: Y = { graphs G : G is 3-colorable}N = { graphs G : G is not 3-colorable}

• Fastest known algorithm: 2O(n)

NP Proof Systems

• Def: An NP proof system for is an algorithm V s.t.– Completeness:

x2 Y ) 9 V(x,)=accept

– Soundness: x2 N ) 8 * V(x,)=reject

– Efficiency: V(x,) runs in time poly(|x|).

• Example: 3-coloring– V(G,) = accept iff is a valid 3-coloring of G

NP Proofs

• Def: An NP proof system for is an algorithm V s.t.– Completeness: x2 Y ) 9 V(x,)=accept– Soundness: x2 N ) 8 * V(x,)=reject– Efficiency: V(x,) runs in time poly(|x|).

• The P=NP Question– Do mathematical proofs ever save time?– Is exhaustive search ever necessary?

• NP-completeness [C71,K72,L73]– every NP problem can be reduced to 3-coloring.

• Q: What does one learn from a proof?

?

Zero-Knowledge Proofs [GMR85]

• Efficiency: V runs in time poly(|x|).

• Completeness: x2 Y ) Pr[V accepts] ¸ 2/3

• Soundness: x2 N ) 8 PPr[V accepts] · 1/3

• Zero Knowledge: x2 Y ) 8 V* V* “learns nothing” else

poly-timeVerifier V

unboundedProver P x

accept/reject

m1

m2

m3

m4

“security” conditions

Zero-Knowledge Proofs [GMR85]

• Flavors– Statistical: security vs. computationally unbounded P*,V*

– Computational: security vs. poly-time P*,V*

• Cryptographic Protocols– Encryption, digital signatures, privacy-preserving datamining,

electronic voting,…– Testbed for composability, concurrency, …

• Complexity Theory– SZK = {2 NP : has a statistical ZK proof}– ZK = {2 NP : has a computational ZK proof}

3-COLORING2ZK [GMW86]

unboundedProver

poly-timeVerifier

1. Randomly permutecoloring & send inlocked boxes.

1

2

3

4

5

6

poly-timeVerifier

1. Randomly permutecoloring & send inlocked boxes.

1

2

3

4

5

6


unboundedProver

poly-timeVerifier

1. Randomly permutecoloring & send inlocked boxes. 2. Pick random edge.

(1,4)

1

2

3

4

5

6

4. Accept if colors different. 3. Send keys for

endpoints.

(Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1


unboundedProver

poly-timeVerifier


(1,4)

1

2

3

4

5

6


endpoints.

Soundness: graph not 3-colorable ) 8 P* V rejects w.p. ¸ 1/(#edges)


unboundedProver

poly-timeVerifier


(1,4)

1

2

3

4

5

6


endpoints.

Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover


unboundedProver

How to implement boxes?

Bit commitment:

• Hiding:

Com() & Com()

indistinguishable.

() zero knowledge)

• Binding: W.h.p. z can be opened to only one value 2 {0,1}. )soundness

ReceiverSender

commit stage:

reveal stage:

(,K)

zK

accept/reject

poly-timeVerifier


(1,4)

1

2

3

4

5

6


endpoints.

Com( )…Com( )

( ,K1),( ,K4)


unboundedProver

poly-timeVerifier


(1,4)

1

2

3

4

5

6


endpoints.

Com( )…Com( )

( ,K1),( ,K4)

NPµZK [GMW86]x

unboundedProver

Thm: If one-way functions exist,– Computationally hiding, statistically binding

bit-commitment schemes exist [HILL90,Nao91].– Statistically hiding, computationally “1-out-of-2-binding”

bit-commitment schemes exist [NOV06].

) all of NP has zero-knowledge proofs (with either security property statistical).

Existence of Commitment Schemes

x f(x)

easy

hard






p,q p£q

easy

hard






minimal but stronger than PNP

General Results on ZK

• ZK = NP.• ZK = ZK w/perfect completeness• ZK = ZK w/poly-time prover

• ZK = honest-verifier ZK

• ZK closed under union• …

Thm [GMW86,HILL90,Nao91]:

Q: What can we prove about ZK unconditionally?

Assuming one-way functions exist...

Unconditional Results on SZK

• SZK contains QUADRATIC RESIDUOSITY [GMR85], GRAPH ISOMORPHISM [GMW86],...

• SZK=SZK w/perfect completeness [O96]

• SZK closed under complement, union [O96]

• Complete Problems [SV97,GV99]

• SZK=honest-verifier SZK [GSV98]

• SZK=SZK w/poly-time prover [NV06]

• …

But more constrained: SZK µ coAM [F86,AH87] ) unlikely to contain NP.

Thms:

Unconditional Results on ZK

• New characterizations of ZK • ZK = ZK w/perfect completeness• ZK = ZK w/poly-time prover• ZK = honest-verifier ZK• ZK closed under union• ZK Å coNP closed under complement• ...

Thm [V04,NV06,OV06]:

Assuming one-way functions exist...

How to get unconditional results on ZK?

• Thm [OW93]: If ZK RP, then a “weak form” of one-way functions exist.

• Idea: Case analysis.– Case I: ZK=RP. Everything trivial.– Case II: ZKRP. Use above OWF in conditional results.

• Problem: “Weak form” of OWF not enough (cf. [DOY97])

• Our approach:– replace RP by SZK– case analysis on input-by-input basis– combine OWF-based results w/unconditional results on SZK

The SZK/OWF CONDITION

Def: satisfies theSZK/OWF CONDITION if9 IµY, JµN, 9 poly-time {fx(y)}x2 {0,1}* s.t.

1. Ignoring I and J, is in SZK.

2. When x2 I[J, fx is hard to invert.

Y N

I

in SZK

instances yield OWF

Note: 9 OWF ) every problem satisfies above.

J

Y N

y fx(y)

easy

hard

ZK Characterization Theorem

Thm [V04,OV06]:

2 ZK

m2 NP and

satisfies

SZK/OWF CONDITION

Y N

I

in SZK

instances yield OWF

J

Y N

Moreover: ZK statistical , I = ; soundness statistical , J = ;

“Zero Knowledge & Soundness are Symmetric”

Proof of the Characterization Thms

2 honest-verifier ZKeven w/inefficient prover

satisfies SZK/OWF CONDITION.

2 ZKw/perfect completeness,

poly-time prover,…

+2NP

From SZK/OWF to ZK

• Idea: Use SZK proof when xI[J, use NP proof system when x2I[J (with fx as OWF)

• Problem: cannot efficiently decide whether x2I[J.

Thm: satisfies SZK/OWF CONDITION and 2NP, ) 2 ZK w/perfect completeness, poly-time prover,...

YNI

J

SZK

OWF

Sol’n: Instance-dependent Commitments

• Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t.

– x2 Y ) hiding

– x2 N ) binding

• Example [BMO90]: GRAPH ISOMORPHISM

– aux. input = (G0,G1)

– commitment to = random isomorphic copy of G

– perfectly hiding and perfectly binding!

H B

Usefulness of I.D. Commitments

– x2 Y ) hiding

– x2 N ) binding

• Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness).

• Lemma [IOS94,MV03]: 2NP and has instance-dependent commitments) 2 ZK w/perfect completeness, poly-time prover, …

H B

Proverpoly-timeVerifier


(1,4)

1

2

3

4

5

6


endpoints.

Comx( )…Comx( )

( ,K1),( ,K4)

From SZK/OWF to ZKx

I.D. Commitments from SZK/OWF

H B

H B

• SZK has stat. hiding, stat. 1-out-of-2-binding

i.d. commitments [NV06]

• OWF ) comp. hiding, stat. binding

commitments [HILL90,N91]

• OWF ) stat. hiding, comp. 1-out-of-2-binding

commitments [NOV06]

ComSZK

ComI

ComJ

• SZK/OWF CONDITION ) comp. hidingcomp. 1-out-of-2-binding i.d. commitments

ComSZK(b©r),ComI(r),ComJ(b)

H

B

B

H

Conclusions

• ZK continues to be an lively interface between cryptography and complexity theory.

• SZK/OWF Characterizations of ZK) unconditional results

• Variations on commitments– Instance-dependent commitments– 1-out-of-2-binding commitments

• Happy Thanksgiving!

Extra slides

Computational Complexity Theory

• Arithmetic on n-bit numbers:– Addition: time O(n)– Multiplying: time O(n2) – Factoring: time ~2n/2

• Computational problems:– Network Flows, Finding Nash Equilibria, Decoding Error-

Correcting Codes, Partition Function of Ising Model, Protein Folding, Proof Verification, …

• Resources:– Space (memory), randomness, parallelism, interaction,

quantum mechanics, …

“What problems can and cannot be solved with limited computational resources?”

O(n lg n lglg n) [SS71]

~2O(n1/3) [BLP94]

easy (poly-time)

hard?

Goals of Complexity Theory

• Lower Bounds – Prove that there are no efficient algorithms to solve certain

problems.– Success only for limited models of computation– PNP seems far out of reach.

• Establish Relationships– Between problems,

e.g. NP-completeness [C71,K72,L73]

– Between resources, e.g. Hardness vs. Randomness [BM82,Y82,NW88]: intractable problems derandomization (take CS225!)

Modern Cryptography

• Protocols for secure communication & computation in the face of adversarial behavior.– Encryption, digital signatures, SSL, e-voting, …

• Goal: “breaking” scheme computationally intractable– Information-theoretic security usually impossible [Sha49]

• Based on complexity theory [DH76,RSA78,Rab79]

Protocols SSL, E-voting, Auctions

PrimitivesEncryption, Signatures,Zero-knowledge Proofs

Hard ProblemsFactoring, RSA,

MD5, DES

Complexity Theory

Secure SystemsFrom Art to Science

• Convincing definitions of security [GM82,...],

rigorous proofs.

p£q

Protocols SSL, E-voting, Auctions

PrimitivesEncryption, Signatures,Zero-knowledge Proofs

Hard ProblemsFactoring, RSA,

MD5, DES

Complexity Theory

Secure SystemsFrom Art to Science

• Convincing definitions of security [GM82,...],

rigorous proofs.

• Goal: use assumptionsthat are as weak & general as possible.

• Ex: one-way functionseasy

hardConjectures

p,q

1-out-of-2-Binding Commitments

SenderReceiver

commit1 :

reveal1:

(,K1)

K1z1

commit2 :

reveal2:

(,K2)

K2z1

Hiding: • Both phases hiding) ZK

Binding: • Sender can changevalue at most once) Soundness

1-out-of-2-binding Commitments) ZK for NP

ProverVerifier

Commit1(coloring)

Hiding: • Both phases hiding) ZK

Binding: • Sender can changevalue at most once) Soundness

Edge

Reveal1

Commit2(coloring)

Edge

Reveal2

Intuitive idea: Run 3-coloring protocol twice

Documents

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University