On the Existence of 3-Round ... Proofs Matthew Lepinski
advertisement
On the Existence of 3-Round Zero-Knowledge
Proofs
by
Matthew Lepinski
Submitted to the Department of Electrical Engineering and Computer
Science
in partial fulfillment of the requirements for the degree of
Master of Science in Computer Science and Engineering
at the
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
June 2002
© Massachusetts Institute of Technology 2002. All rights reserved.
X,
Author..
Department of Electricd Engineering and Computer Science
November 2, 2001
Certified by..................
..............
Silvio Micali
Professor
Thesis Supervisor
I
Accepted by ....
.
........................
.........
Arthur C. Smith
Chairman, Department Committee on Graduate Students
BARKER
MASSACHUSMlSiTTWRT
OF TECHNOLOGY
JUL 3 12002
LIBRARIES
2
On the Existence of 3-Round Zero-Knowledge Proofs
by
Matthew Lepinski
Submitted to the Department of Electrical Engineering and Computer Science
on November 2, 2001, in partial fulfillment of the
requirements for the degree of
Master of Science in Computer Science and Engineering
Abstract
Goldreich and Krawczyk proved that there do not exist 3-round black-box zeroknowledge proofs or arguments for languages outside BPP. In 1998, Hada and Tanaka
used non-standard assumptions to provide a 3-round zero-knowledge argument for
every language in NP which was not black-box zero-knowledge. We present a nonblack-box simulatable 3-round zero-knowledge proof system for NP, which is secure
even when the prover has unbounded computational resources. However, we require
a non-standard assumption (similar to those used by Hada and Tanaka) in order to
prove our protocol is zero-knowledge. Additionally, we provide a proof of knowledge
framework in which to view this type of non-standard assumption. In this thesis,
I designed and implemented a compiler which performs optimizations that reduce
the number of low-level floating point operations necessary for a specific task; this
involves the optimization of chains of floating point operations as well as the implementation of a "fixed" point data type that allows some floating point operations to
simulated with integer arithmetic. The source language of the compiler is a subset of
C, and the destination language is assembly language for a micro-floating point CPU.
An instruction-level simulator of the CPU was written to allow testing of the code.
A series of test pieces of codes was compiled, both with and without optimization, to
determine how effective these optimizations were.
Thesis Supervisor: Silvio Micali
Title: Professor
3
4
Acknowledgments
I would like to thank my adviser, Silvio Micali for all of his assistance in producing
this work. This material is based upon work supported under a National Science
Foundation Graduate Research Fellowship.
5
6
Contents
1 Introduction
9
2
Notation
11
3
Background
13
3.1
Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . . . . . . .
13
3.2
Round Minimization in Zero-Knowledge Protocols . . . . . . . . . . .
15
3.3
The Protocol of Hada and Tanaka . . . . . . . . . . . . . . . . . . . .
16
3.4
Blum's Zero-Knowledge Proof for Hamiltonian Cycle . . . . . . . . .
18
3.5
The Goldreich-Levin Theorem . . . . . . . . . . . . . . . . . . . . . .
20
4
5
Our Assumptions
21
4.1
Proofs of Knowledge
. . . . . . . . . . . . . . . . . . . . . . . . . . .
22
4.2
Our Proof of Knowledge Assumption . . . . . . . . . . . . . . . . . .
24
Our Protocol
27
5.1
The Actual Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
5.2
Proof of Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
5.3
Proof of Zero-Knowledgeness . . . . . . . . . . . . . . . . . . . . . . .
30
6 Conclusion
41
Bibliography
43
7
8
Chapter 1
Introduction
A zero-knowledge proof system is a protocol which allows a prover to convince a
verifier that a statement is true without providing the verifier with any additional
information about the statement being proved. Zero-Knowledge proofs have seen
much application in the design of cryptographic protocols. This is due in large part to
the result by Goldreich, Micali and Wigderson[16] that there exists a zero-knowledge
proof system for any language in NP. Additionally, work has been done to determine
the minimum number messages which must be exchanged in order to complete a
zero-knowledge proof ([10], [13], [12]). Of particular interest to us is a paper by Hada
and Tanaka which provides a three round (three message) protocol for any language
in NP which is proven to be zero-knowledge given a set of strong assumptions. This
is significant because it is known that no two round zero-knowledge protocol exists
for any language outside BPP.[13]
We present a three round zero-knowledge proof system for any language in NP
which is an improvement over the Hada-Tanaka protocol in two important ways.
First, our protocol is secure even the prover has unbounded resources. 1 Second, we
assume the hardness of the discrete logarithm problem for a randomly chosen prime
and generator instead of assuming the discrete logarithm problem is hard for every
'The Hada-Tanaka protocol is a zero-knowledge argument and not a zero-knowledge proof system
since it is secure only if the prover is polynomially bounded
9
prime number of a certain form.2 Like the Hada-Tanaka paper we rely on a nonstandard assumption which seems to be quite strong.
In Chapter 2 we provide a summary of the notation that we use in this paper. In
Chapter 3 we provide definitions and background from related work. In Chapter 4
we provide the assumptions which we need to prove our protocol correct. In Chapter
5 we provide our protocol and a proof that it is correct.
2
All of our hardness assumptions are with respect to a randomly chosen prime and generator. The
Hada-Tanaka paper assumes that the discrete logarithm problem and the Diffie-Hellman problem
are hard for every generator and for every prime which is one more than twice a prime.
10
Chapter 2
Notation
Point of Notation 1 Let X and Y be distributionsand let P(-, .) be a predicate then
by
Pr[x +- X; y
*-
Y : P(x, y)]
we mean the probability that P(x, y) is true when x is drawn randomly from distribution X and Y is drawn randomly from distribution Y.
For any set S, let x <-
S denote that x is drawn from the uniform distribution
over S. Similarly for any randomized algorithm A, let x
*-
A(y) denote that x is
drawn from the distribution induced by a random execution of algorithm A on input
y.
Point of Notation 2 When X and Y are distributions then
[XY]
denotes the distribution which produces pairs (x, y) where x is drawn from X and y
is drawn from Y
Point of Notation 3 When X and Y are distributions and A is a randomized algorithm then
[x <-- X, y +- Y, A(x, y)]
11
denotes the distribution which produces triples (x, y, a) where x is drawn from X, y
is drawn from Y and a is drawn from the distribution induced by a random execution
of A on inputs x and y.
Point of Notation 4 We denote the result of the interaction between A and B on
common input x by the random variable
[A(x) ++B(x)] e {accept,reject}
Point of Notation 5 Let x, y E {O, 1}.
Then by < x, y > we mean the inner
product of x and y in the vector space Z2n. That is,
<X,y>>
where x2 is the
ith
xiyi
bit of x.
12
mod2
Chapter 3
Background
3.1
Zero-Knowledge Proofs
In their paper, "The Knowledge Complexity of Interactive Proofs", Goldwasser, Micali and Rackoff[18] introduced the concept of a zero-knowledge proof system. Informally a zero-knowledge proof system for a language, L, is an interactive protocol
by which a prover can convince a verifier that a common input x is in L without
providing V with any additional information.
Definition 1 (Zero-Knowledge Proof System) A zero-knowledge proof system
for a language, L, is a protocol for a prover, P, and a verifier, V, that satisfies
the following three properties. 1
1. Completeness: For all x E L,
Pr[[P(x)++V(x)] = accept] = 1
1As done in [19] We present a non-uniform formulation of Zero-Knowledge in terms of cir-
cuit families. Hada and Tanaka claim that non-uniform zero-knowledge is strictly weaker than the
original GMR definition of zero-knowledge since one can construct protocols for which non-uniform
simulators exist but uniform simulators do not. However, it is not clear whether one could construct
protocols in which a non-uniform cheating verifier could extract knowledge but a uniform cheating
verifier could not. A protocol of this type would satisfy the GMR definition of zero-knowledge, but
not the non-uniform definition of zero-knowledge.
13
2. Soundness: For all circuit families P', for all c and for all sufficiently long
strings x V L,
Pr[[P'(x) *-4 V(x)] = accept] <
1
3. Zero-Know ledgeness: For all polynomial size circuit families, V', there exists a polynomial size circuit family, Sv', such that the probability ensembles
{Sv'}xCL and VIEW([P(x) ++ V'(x)] are computationally indistinguishable.
Where VIEW([P(x) +- V'(x)]) denotes the distribution over the random input
of V' and the messages sent by P in a random interaction of P and V' with
common input x.
Property 3 above formalizes the notion that V' learns nothing from interacting with
P besides the fact that x E L. So if V' already knew that x E L, V' could run Sv, and
obtain a view which is indistinguishable from the view he would receive if he were to
interact with the true prover. Thus, V' has no reason to interact with P other than
to learn that x E L.
One can also consider a modification to Property 3 in which instead of allowing
a separate simulator for each cheating verifier, V', it is required that there exist
a single simulator, S, which, when given black-box access to V', produces views
which are indistinguishable from the views V' would receive when interacting with
the true prover. Proof systems that satisfy this property are known as black-box
zero-knowledge proof systems. It is clear that black-box zero-knowledge is a stronger
property than regular zero-knowledge.
Property 2 of a zero-knowledge proof system requires that even a computationally
unbounded prover is unable to convince the verifier to accept a false theorem with
non-negligible probability. Brassard, Chaum and Crepeau[7] introduced the notion
of a zero-knowledge argument in which the soundness property is only guaranteed
to hold if the cheating prover runs in probabilistic polynomial time. They observed
that protection against probabilistic polynomial time provers was sufficient for most
applications.
Definition 2 (Computational Indistinguishability[17] [25]) Let L C {O, 1}* be
14
an infinite set of strings and let fl 1
=
{111(x)}xEL
and
H2
= {f2(x)}xeL
be two
probability ensembles. For any distinguishing circuit, D, let pr(x) be the probability
that D outputs 1 on an input drawn randomly from 11i(x).
Then H1 and H2 are
computationally indistinguishable if for any polynomial size family of circuits, D, for
all c and for all sufficiently long x C L,
Ipf (x) - pI (x)I <
3.2
Round Minimization in Zero-Knowledge Protocols
One standard measure of the complexity of a zero-knowledge proof is the number of
rounds of interaction (i.e. the number of messages sent from one party to another
during the protocol). This complexity measure is of particular interest in a situation
where the time required to perform local computation is much less than the time
required to exchange messages (An example of this setting would be two modern personal computers communicating over a large network, such as the internet). However,
in the original zero-knowledge proof system for NP provided by Goldreich, Micali and
Wigderson[16], the number of rounds required was polynomial in the size of the input.
Feige and Shamir[10] proved the existence of a 4-round zero-knowledge argument
for any language in NP. Additionally, Goldreich and Oren[13] proved neither 2-round
zero-knowledge proofs nor arguments exist for languages outside of BPP. This work
left open the question of whether or not 3-round zero-knowledge protocols exist for
all of NP. Goldreich and Krawczyk[12] proved that 3-round black-box zero-knowledge
proofs or arguments for languages outside of BPP can not exist. This result was significant because at the time of it's publication, every known zero-knowledge protocol
satisfied the condition of black-box zero-knowledge.
15
3.3
The Protocol of Hada and Tanaka
In response to the result of Goldreich and Krawczyk[12], Hada and Tanaka[19] provided a 3-round zero-knowledge argument for any language in NP, which did not
achieve black-box zero-knowledge. The methods used by Hada and Tanaka differed
significantly from previous zero-knowledge protocols, in particular the proof that their
protocol is correct required two non-standard assumptions which they refer to as the
Strong Diffie-Hellman Assumptions. The first Strong Diffie-Hellman Assumption is
needed to prove that that the protocol is zero-knowledge. This assumption is applied
to a cheating verifier to demonstrate the existence of a family of circuits which the
simulator can use to simulate properly. The Second Strong Diffie-Hellman Assumption is needed to prove that the protocol is sound. This assumption is applied to a
cheating prover to demonstrate the existence of a family of circuits which could be
used to compute discrete logarithms if the cheating prover were able to violate the
soundness condition.
Assumption 1 (First Strong Diffie-Hellman Assumption (SDHA-1))
Let I be
a family of polynomial-size circuits which takes as input (p, q, g, ga mod p), where p
and q are prime, p = 2q + 1 and g is a generator of Z*, and tries to output (B, X)
such that X = B'. For every family of polynomial-size circuits I
=
{In} there ex-
ists another family of polynomial-size circuits I' = {I'j} which on input (p, q, g, ga)
outputs (B', X', b) such that for primes p of length n and generatorsg,
1. The distribution of the first two outputs of I'(p, q, g, ga) is statistically close to
the distribution 1(p, q, g, ga), (where the probability distribution is taken over a
uniformly random choice of a E Zp*).
2. For every c and all sufficiently large n,
Pr[a +- Z*; (B', X', b) <-
I'(p,
q, g, ga); X' = B'/ A B' # gb] <
Basically, this assumption is about the "knowledge" of a circuit. It claims that if
there is a circuit family that is able to produce B and Ba mod p given only ga, then
16
the circuit family must "know" the discrete log of B (i.e. there is another circuit
family of similar size which is also able to output the discrete log of B).
In the Hada Tanaka protocol, the prover sends p, q, g and g' to the verifier and
the verifier responds with B and B'. The rest of the protocol proceeds in such a way
that the prover could cheat if he knew the discrete log of B, but since the prover is
assumed to be computationally bounded he is unable to compute the discrete log.
Additionally, the simulator needs the discrete log of B in order to simulate properly.
For any verifier, V', that outputs B and B' the SDHA-1 states that there exists a
related circuit family,
' which also outputs the discrete log of B. This means that
the simulator, Sv,, can have a description of
' hard-wired in and use V' to acquire
the discrete log of B (and hence simulate properly).
Assumption 2 (Second Strong Diffie-Hellman Assumption (SDHA-2)) Let I
be a family of polynomial-size circuits which takes as input (p, q, g, ga mod p, gb mod p, gab
mod p), where p and q are prime, p
to output (Y, C) such that Y
I
=
=
=
Cb.
2q + 1 and g is a generator of Z*, and tries
For every family of polynomial-size circuits
{I} there exists anotherfamily of polynomial-size circuits I'
=
{I,} which on in-
put (p, q, g, ga mod P, gb mod p, gab mod p) outputs (C', Y', c) such that for primes
p of length n, all generators g of Z* and all a E Z*,
1. The distribution of the first two outputs of I' (p,q,g,ga,
gb9ab)
is statistically
close to the distribution 1(p, q, g, ga, gb, gab), (where the probability distribution
is taken over a uniformly random choice of b
C ZP*).
2. For every c and all sufficiently large n,
Pr[Y' = C'b A Y'
#4 (gb)c A Y' =
(gab)c]
< nc
This is another assumption about the "knowledge" of a circuit. It claims that if there
is a circuit family that is able to produce C and Cb mod p given ga, gb and gab then
the circuit family must "know" either a discrete log of C base g or else a discrete log
17
of C base ga. (i.e. there is another circuit family of similar size which is also able to
output this discrete log).
In the Hada Tanaka protocol, the prover sends p, q, g and ga and the verifier
responds with gb and gab. At this point the prover sends Y and C (where Y = Cb
mod p) along with responses specified by Y. The responses are such that the prover
can cheat if and only if the prover can choose a particular value of Y (independent of
b).
However, if the prover, P', can choose a particular value of Y, then by SDHA-2
there exists a related circuit family, P', which computes the discrete log (either base g
or base ga) of this Y. This circuit F' is then used to construct an inverting algorithm
which contradicts the assumption that for every p, q and g (where p and q are prime,
p = 2q + 1 and g is a generator of Z*) it is hard to compute the discrete log of a
randomly chosen element of Z*. In this way, Hada and Tanaka use SDHA-2 to show
that the hardness of discrete log implies the soundness of their protocol.
These assumptions seem especially strong because they are built on the assumption that it is hard to compute the discrete log for any prime p = 2 * q + 1 and any
generator g of Zp*. It is much more standard to assume that discrete log is hard with
respect to a randomly chosen prime p = 2 * q + 1 and a randomly chosen generator
g. We find assumptions which assume hardness with respect to a randomly chosen
prime and randomly chosen generator to be more plausible since assumptions of this
form allow for the possibility that there are rare primes or generators which are of a
special form that makes computing the discrete logarithm easy.
3.4
Blum's Zero-Knowledge Proof for Hamiltonian
Cycle
Although Goldreich, Micali and Wigderson[16] provide a zero-knowledge proof system
for any language in NP, their protocol requires the verifier to choose one of polynomially many challenges. We instead base our proof system on the protocol of Blum[5]
which has the desirable property that that the verifier selects one of two challenges
18
and if the theorem being proved is false then only one of the two possible challenges
can be answered by the prover.' What follows is Blum's protocol for proving that a
graph G has a Hamiltonian cycle.
" PROVER: Randomly choose a permutation r of the vertices of G. Send the
verifier a commitment to the edges in G' = 7r(G).
" VERIFIER: Choose a random bit, b, and send it to the prover.
" PROVER: If b = 0, send to the verifier both 7r and a decommitment to every
edge in G'. Let H be a Hamiltonian cycle in G. If b = 1, send to the verifier a
decommitment to every edge in 7r(H).
" VERIFIER: If b = 0, accept if 7r is a permutation which maps G to G'. If b = 1,
accept if the revealed edges form a Hamiltonian cycle in G'.
We will denote by N the first message sent in Blum's protocol and we will denote
by N0 and N 1 the prover's response to challenges 0 and 1 respectively. When the
protocol is being run several times, we use subscripts such that N? is the prover's
response to challenge 0 in the instance of the protocol where the first message was
Ni. Blum's protocol is black-box zero-knowledge. Therefore, there exists a simulator
which interacts with a verifier and then produces triples of the form (p, M, M?) where
(M, M?) are indistinguishable from the messages the honest prover would send in an
interaction with the verifier when the verifier uses ft as it's random string.
Of particular interest is the verifier which always outputs 0 and the verifier which
always outputs 1. We will denote by (M, MO) the pair of messages output by the
simulator when interacting with the 0 verifier and by (M, M 1 ) the pair of messages
output by the simulator when interacting with the 1 verifier.
(Again we will use
subscripts when the simulators are run multiple times). Without loss of generality we
assume that there is a polynomial
2
f
such that No, N 1 , M0 , M' all have length f(k).
We could instead use any simple subset revealing protocol as defined in [21]
19
3.5
The Goldreich-Levin Theorem
Goldreich and Levin[15] provide a reduction that allows us to turn a process which
for randomly chosen r produces < x, r > into a process which produces a list likely
to contain x.
Theorem 1 (Goldreich Levin) Suppose we have a random process P,,k
{0, 1}
{0,
I}kk
so that for some integer c,
Pr[r
-
{0, 1 }k; q
1
1
Qx,k(r) : q -< r, x >] >__ +
+--
then there exists a probabilisticpolynomial time algorithm A which when given oracle
access to
QxT
will output a list of strings which with probability at least - contains x.
Since A runs in polynomial time, the list produced by A can have at most polynomial length. Therefore, by randomly chosen an element in the list produced by A
we get the following corollary.
Corollary 1.1 Suppose we have a random process Pxk : {0,
{0, 1} so that for
I}
some integer c,
Pr[r - {0,
I}k;
1
1
q -- Qx,k(r) : q =< r, x >] > I +
then there exists a probabilistic polynomial time algorithm A and an integer d such
that when A is given oracle access to
Qxn,
1
H2d
20
it will output x with probability at least
Chapter 4
Our Assumptions
First we make a fairly standard assumption about the difficulty of the discrete logarithm problem.
Assumption 3 (Standard Discrete Log Assumption) Let I = {In} be any family of polynomial-size circuits. Let PRIMES,, be the set of all n-bit primes. Let
GENp be the set of all generators of Z*. Then for all c and all sufficiently large n,
Pr[p
+-
PRIMESn; g
+-
GENp; x +-
a - In(p, g, g) : a = x] <
1
nc
Additionally, we assume that the Diffie-Hellman Problem is hard[9]. 1
Assumption 4 (Standard Diffie-Hellman Assumption) Let I
=
{In} be any
family of polynomial-size circuits. Let PRIMES, be the set of all n-bit primes. Let
GENp be the set of all generators of Z*. Then for all c and all sufficiently large n,
Pr[p +- PRIMES,; g +- GENp; x
<-
Z*; y +- Z,*; a
+-
In (p, g, g, gY) : a = gxy] <
1
'We assume that no polynomial-size family of circuits can solve the Diffie-Hellman Problem with
success probability greater than -L. Victor Shoup[23] proved that this is equivalent to assuming that
no polynomial-size family of circuits can solve the Diffie-Hellman problem with success probability
1
1 -f
21
Proofs of Knowledge
4.1
As noted earlier, the Strong Diffie-Hellman Assumptions used by Hada and Tanaka[19]
We believe that this type of
are assumptions about the knowledge of a circuit.
assumption is necessary in order to achieve zero-knowledge in three rounds. We find
a proof of knowledge to be a useful framework in which to consider this type of
assumption.
Proofs of knowledge are a common tool in the design of cryptographic protocols.
They are used in cryptographic protocols when one party needs confidence that another party is able to compute a value with specified properties. Fischer, Micali and
Rackoff[11] were the first to use a proof of knowledge when they observed that the
adversary could conceivably cheat if he were ignorant of a value that he was suppose
to know.
We avoid presenting a rigorous definition of a proof of knowledge2 . Intuitively, a
proof of knowledge is a protocol involving a prover and a verifier such that if the verifier accepts the proof, then with high probability there is a polynomial time knowledge
extractor which could interact several times with the prover and output a value with
the specified properties. Of particular interest in a cryptographic setting is a witnessindistinguishable proof of knowledge in which the verifier gains no information about
which value the prover knows.
The following protocol is a proof of knowledge similar to proofs of knowledge in
[18], [16] and [24]. In this protocol, given a prime p, a generator g and a number
Q, the
prover provides a pair (X, Y) such that XY
=
Q
mod p and proves that he
knows the discrete log of either X or Y. To do this, the prover constructs a sequence
of pairs (Wi, Zj) such that WjZj =
Q
mod p. For each such pair, the verifier makes
a challenge requesting a proof that the pair (Wi, Zj) is properly constructed (i.e. that
the prover knows the discrete log of either W or Z) or a proof that if (Wi, Zj) is
properly constructed then the prover knows the discrete log of either X or Y.
1. VERIFIER: Chooses a random k - bit prime number p such that the factor2
The precise definition of a proof of knowledge is still under debate.[20]
22
ization of p - 1 is known. 3 Chooses a random generator, g, of Z*. Chooses a
random element Q E Z*. Sends p, g and
Q to
PROVER.
2. PROVER: Sends a pair (X, Y) to VERIFIER such that XY
k additional pairs (W1 , Z 1),...
, (Wk,
Q
mod p. Sends
Zk) to the VERIFIER such that WiZi =
Q
mod p for each i.
3. VERIFIER: Randomly selects k bits bi and send them to the prover.
4. PROVER: Let x be such that either gx = X mod p or gx = Y mod p. Let wi
be such that either gwi
-
Wi mod p or gwi = Zi mod p. For each i if bi = 0
sends Bi = wi to VERIFIER. If bi = 1, randomly selects ci E {-1, 1} and sends
Bi = ci(x - wi) to VERIFIER.
5. VERIFIER: For each i, if bi
mod p. If bi
=
=
0 checks that g B = X mod p or gBi
-
Y
1 checks that Bi is in the set {XWJ-1 , X- 1 W, XZZ-1, X 1 Zi}.
Rejects the proof if any of these checks fail.
The above protocol is secure because a knowledge extractor which is able to interact multiple times with the prover will be able to get the responses to both of the
challenges for a particular (Wi, Zi) and thus compute the discrete log of either X or
Y.
We now consider the following modification of the protocol which makes use of a
random oracle, 0 (without loss of generality we assume that the oracle always returns
k bits).
1. VERIFIER: Chooses a random k - bit prime number p such that the factorization of p - 1 is known. Chooses a random generator, g, of Z*. Chooses a
random element
QE
Z*. Sends p, g and R to PROVER.
2. PROVER: Selects a pair (X, Y) such that XY
(W 1 , Z 1),...
,
(Wk, Zk) such that WiZi =
O(X, W 1 ,... ,Wk).
3
Q
=
Q
mod p and additional pairs
mod p for each i. Let bl,... , bk
Let x be such that either gx = X mod p or gx
This can be done by using the algorithm in [1]
23
=Y
=
mod p.
Let wi be such that either gw
9
Send (X, Y), (W1 , Z1 ),
Bi
Wi mod p or gi
=- Z
mod p.
, (Wk, Zk) to VERIFIER. For each i if bi = 0 sends
.. .
wi to VERIFIER. If bi
=
-
=
1, randomly selects ci
{-1, 1} and sends
Bi = ci(x - wi) to VERIFIER.
3. VERIFIER: Let bi,... , bk
that
9 Bi -
=
O(XW
X mod p or gBi = Y
1
,... ,Wk).
For each i, if bi
=
0 checks
mod p. If bi = 1 checks that Bi is in the set
{XWi-1 1 X- 1 W, XZJ1 , X- 1 Zi}. Rejects the proof if any of these checks fail.
This protocol is a secure proof of knowledge in the random oracle model because
a knowledge extractor which interacts several times with the prover (with different
choices for the oracle) will be able to get the responses to both challenges for the
same (Wi, Zi) and can then compute the discrete log of either X or Y.
4.2
Our Proof of Knowledge Assumption
Our proof of knowledge assumption is that there exists either a cryptographic function
(such as SHA-1 or MD5) or a family of cryptographic functions such that the previous
protocol remains a valid proof of knowledge even if the random oracle is replaced by
the function. This is a strong assumption.
Canetti, Goldreich and Halevi[8] show that there exist settings (albeit somewhat
artificial ones) in which replacing a random oracle with any cryptographic function
does not yield a secure outcome.
However, we believe our assumption plausible.
(Indeed, in our setting, it seems unlikely that the hash function will interact with the
protocol in just the right way so as to allow an malicious prover to cheat.)
Assumption 5 (Proof of Knowledge Assumption (POKA)) Let I be a family of polynomial-size circuits which takes as input (p, g, R, h), where p is a k-bit
prime, g is a generator of Z*,
range is {0,
I}k,
Q is
an element of ZP* and h is a hash function whose
and tries to output ((X, Y), (W 1 , Z 1 ),
such that for each i, bi
=
0 implies 9Bi
E
. . . , (Wk,
Zk), B 1, . . . , Bk, S)
{Wi, Zi} and bi = 1 implies gBi E
{XW[', X -'Wi, XZ; 1 , X-Zi} where bi is the ith bit of h(X, W 1,. .. , Wk). For every
24
family of polynomial-size circuits I = {I} there exists anotherfamily of polynomialsize circuitsI
= {Ik}
which on input (p, g, Q, h) outputs ((X, Y), (W1 , Z1),...
, (Wk,
Zk), B 1 ,...
such that
1. The distribution of the first 2k + 2 outputs of Ik(p, g,
to the distributionIk(p, g,
Q, h),
Q, h)
is statistically close
(where the probability distribution is taken over
a random choice of p E PRIMESk, g E GENp and Q E Z*).
2. For every c and all sufficiently large k,
Pr[p +- PRIMESk; g
+-
GEN,;
Q +- Z*;
((X, Y), (W 1, Zi), .. , (Wk, Zk), B1... , Bk, S,X) +- ik(p, giQ, h)
(A((b = 0 A gB E {Wi, Zi}) v
(b, = 1 A g"' E {XWJ 1 , X~'W, XZj1, X~1Zi}}) A gx V {X,Y} <
Note that the above assumption is parameterized by the method in which the hash
function is chosen. From this point forward we will use the notation Ilk to mean a
distribution of hash functions for which the above assumption is believed to be true.
25
,
B
,
26
Chapter 5
Our Protocol
5.1
The Actual Protocol
Our protocol is based on the ideas of Kilian, Micali and Ostrovsky[21] and Bellare
and Micali[3]. Kilian, Micali and Ostrovsky show how all of the interaction in a zeroknowledge proof can be moved to a short interactive preprocessing stage which could
be performed before selecting the theorem to be proved. Bellare and Micali introduce
the notion of an oblivious transfer channel and show how an oblivious transfer channel
can be implemented using public keys. Additionally, they show how the protocol of
Kilian, Micali and Ostrovsky could be modified to use an oblivious transfer channel.
In our protocol, we use our POKA to set up k oblivious transfer channels without
using public keys. Then for each channel, the prover proceeds to send one response in
Blum's protocol using the first half of the channel and the other response in Blum's
protocol using the second half of the channel (and thus the prover is assured that the
verifier is only able to read one of the two responses). The following protocol is our
3-round zero-knowledge proof that a graph G of size k has a Hamiltonian cycle.
* PROVER: Chooses a random k-bit prime number p such that the factorization
of p - 1 is known. 1 Chooses a random generator, g, of Z*. Chooses a random
element Q
C Z*.
Sends (p, g,
Q, H) to
'This can be done by using the algorithm in [1]
27
VERIFIER where H is a hash function
chosen from yk.
* VERIFIER: Selects k random elements x 1 ,... , Xk of Z*. Flips k coins to create
random values C 1 , . . . , Ck E {0, 1}.
* VERIFIER: For each xi, if Ci
=
0, let Xi =
mod p and Yi = QX
gy'
1
mod p.
If Ci = 1, let Yi = gxi mod p and Xi = QYi- 1 mod p.
* VERIFIER: For each xi, selects k random elements wi,1
k coins to create random values C, 1 ,....
, C,j
g'i
Wi,k
of Z* and flips
E {0, 1}.
e VERIFIER: For each wij, if Cij = 0, let Wi,=
If C, 3 = 1, let Zi=
...
gwi
mod p and Zi,= QWi- 1 .
mod p and Wi, = QZtJ'=H(Xi, Wi,1 ,...
" VERIFIER: For each xi, let bi,1 ...
b,k
* VERIFIER: For each wij, if b
0 then Bij = wij. If bi, = 1, then randomly
select cij E {-1, 1} and let Bj
=
, Wi,k).
c, (Xi - wi,).
o VERIFIER: Flip k coins to create random values S1,... , Sk E {0, 1}.
((X1 , Y),.
. . ,
(Xk, Yk), (W1,1, Z1 ,1),.
Zk,k), B 1
. . , (W,k,
,.. . ,kB, S 1 ,
e PROVER: For each Xi, compute b,1 ... bi,k = H(Xi,Wi,1,...
i,j, if b23 = 0, check that either gij = Wij
bi, = 1, check that g!
mod p or g.
,
=Z
Send
, Sk)
to PROVER.
Wik). For each
mod p. If
is in the set {XiWi-1, X 1 W,,, XZJ, XJ1 Z,J}. If any
of these checks fails, reject and terminate the protocol.
* PROVER: Select R to be a random element of {0, I}k and select ai,,... , ak,k
to be random elements of Z*. Let K be the k-bit string whose Jh bit is
< R, Xa"i' >. Similarly, let Kr be the k-bit string whose Jh bit is < R, Yi', >.
9 PROVER: Choose k messages Ni and corresponding responses N2 and Nj as
the honest prover would in Blum's protocol. Let F be a pseudorandom generator.2 For each Si, if Si = 0 then Construct Li by taking the XOR of Nf with
2
Pseudorandom generators exist if computing discrete logs is hard[6]
28
F(K ) and construct L' by taking the XOR of Nil with F(Kf). If Si
1 then
Construct Li by taking the XOR of Ni with F(K ) and construct L, by taking
the XOR of N.0 with F(KI[).
* PROVER: Let Aij = g'
mod p. Send (R, A 1 ,1,...
, Ai,,,
N1 , ...
, Na,
L1 , IL
... , L,)
to VERIFIER.
" VERIFIER: Let Ki be the k-bit string whose Jth bit is < Ri , Ax
>.
For
each i, if Ci = 0, let RESPONDi be the XOR of Li with F(Ki). If Ci = 1,
let RESPONDi be the XOR of L' with F(Ki). Accept only if for each i,
either Si
=
Ci and RESPONDi is a correct response to challenge 0 in Blum's
protocol with first message Ni or Si
#
Ci and RESPONDi is a correct response
to challenge 1 in Blum's protocol with first message Ni.
The protocol is complete since if the prover follows the specified program, the honest
verifier will always accept.
5.2
Proof of Soundness
Assume that G does not have a Hamiltonian cycle. Then for any first message Ni in
Blum's protocol it is possible for the prover to correctly answer at most one of the
two possible challenges. (That is, it is possible to produce either Nf or Nj but not
both). Given Ni, let piit be such that the prover can produce Nti but not N'-P.
For the honest verifier, the message sent to the prover is completely independent
of whether the verifier knows the discrete log of Xi or Y. (That is, it is completely
independent of the Ci's.)
This is because each pair (Xi, Y) is a random pair of
elements in Z* whose product is Q. Additionally, Bij gives no information about Ci
because for fixed (Xi, Y, WZj,Z,) there are four possible values of Bij depending
on the values of C, Cjj and ci2 j and each of the four values of Bij results from one
setting of (Ci, C, 3 , ci,j) in which Ci
=
0 and from one setting in which C, = 1.
For the honest verifier, with probability one-half, Si
=
Ci. Since the prover has
no information about C, then with probability one-half either Si = Ci and oaj # 0 or
29
Si 74 C, and ac # 1. Observe that the verifier will reject if for any i either Si = Ci
and ao
74
0 or S, 74 C, and ac :A 1. Therefore, with probability at least one-half, the
verifier will reject because of the prover's j% response. Therefore, the verifier will
accept with probability at most 1.
5.3
Proof of Zero-Knowledgeness
For any cheating verifier, V', we construct a simulator Sv, and show that for graphs
G which contain a Hamiltonian cycle, Sv, (G) is computationally distinguishable from
VIEW([P(G) ++ V'(G)]).
For any cheating verifier, V', by assumption there exists another family of circuits
as specified by POKA.
3.
Let Sv, be the family of probabilistic circuits which on
input G do the following:
1. Let k be the size of the input graph G
2. Select a random string
T
to be used as the random string for the verifier
3. Select a random k-bit prime number p such that the factorization of p - 1 is
known [1].
4. Select a random generator, g, of Z*.
5. Select a random element,
Q,
of Z*.
6. Select a random hash function, H, from Hk.
7. Run V' on input (p, g, Q, H) and random string T to obtain
((X,7 Y), ...., (Xki, Y)),7 (W1,1, Z1, 1), . . . , (Wk,k, Z,k),I B1, ....
, Bk, S1l..
3
Sk)
Technically, V' has k sets of outputs and so we apply POKA k times (On the ith application of
POKA we apply the assumption to a version of V' which is modified to only output the ith set of
outputs). We can then easily combine the k resulting circuits into a single circuit which outputs all
k discrete logs. For simplicity when we refer to V' we are referring to the composite circuit which
results from k applications of POKA
30
and (xi,...
, Xk).
8. For each X2 , compute bi, 1 . . .bi, = H(X, 7Wi,1,
. ..
0, check that either g% = Wjj mod p or g
, Wi,k).
Z,
For each i, j, if bij
mod p. If bj = 1, check
that g B is in the set {XiWi-j, X- 1 Wij, XiZ9, X7-1 Z, }. If any of these checks
fails, output (T, (p, g,
Q, H), REJECT)
and terminate.
9. Select R to be a random element of {0, 1}k and select a 1, 1, ... , akk to be random
elements of Z*.
10. Let K
be the k-bit string whose J"' bit is < R, Xc",' >. Similarly, let K( be
the k-bit string whose Jth bit is < R, i"
>
11. For each xi, let Ci = 1 if Y = gxi mod p and Ci = 0 otherwise.
12. For each xi, If Ci = Si run the simulator for Blum's protocol to get Mi and M2
and if Ci y Si run the simulator for Blum's protocol to get Mi and Mi.
13. If Ci =0 Construct Li by taking the XOR of MiS
Ci
and F(K)
and construct
L' to be F(K'). If Ci = 1 Construct Li to be F(K ) and construct L' by
9 s' and F(K').
taking the XOR of M!e-
14. Let Ai,1 = gaio mod p and Output
(T,
, Ak,k, L1,
(p, g, Q, H), Mi, . .. , Mk, R, A1,,, ....
First we consider the case where
Lf, ...., Lk,,
Ll)
' outputs B 1 ,1 , . . . , Bk,k such that for some i, j
Bij, does not pass the prover's checks. By POKA, the output of
' is statistically
close to the output of V'. Also note that in this case, the simulator, S, behaves in a
manner identical to that of the honest prover. So, in this case, Sv,(G) is statistically
close to VIEW([V' + P(G)]). Therefore, for any verifier V' that sometimes outputs
B 1 ,1,... ,Bkk which do not pass the provers checks, we consider a modified verifier
V" which behaves like V' except that when V' would produce an output that doesn't
31
pass the prover's checks, V" instead behaves like the honest verifier. We note that
if Sv,(G) and VIEW([V' +-± P(G)]) are distinguishable then so are Syu (G) and
VIEW([V"
<-+
P(G)]) and therefore from this point forward we restrict our attention
to verifiers whose output always passes the prover's checks.
Next we consider the case where 17' sometimes outputs x 1 , . . . , xk such that gxi
Y mod p. In this case we can replace
and random string
T,
' with a circuit
" which on input (p, g,
first runs 1' on input (p, g, Q, H) and random string
V" checks to see if for any i,
T.
-
Q, H)
Then
Y mod p. For each such i, V" swaps Xi and Y
gxi
and produces output identical to
' except for the switches. Additionally, consider
the verifier V" which on input (p, g,
Q, H) and
random string
T,
first runs 1' on input
(p, g, Q, H) and random string T. Then V" checks to see if for any i, gxi = Y mod p.
For each such i, V" swaps Xi and Yi. V"' then produces output identical to V' except
for the swaps. Observe that the pair
" and V" satisfy the conditions of POKA.
Additionally observe that if Sv,(G) and VIEW([V' + P(G)]) are distinguishable,
then so are Svy (G) and VIEW([V" + P(G)]). Therefore, from this point forward
we restrict our attention to verifiers, V' such that
that gxi
$
' always outputs x 1 , . . .
, Xk
such
Yi.
To derive a contradiction we assume that there exists an infinite family of input
graphs, {Gk} (without loss of generality assume that for sufficiently large k, Gk has
size k) such that Sv, (Gk) is computationally distinguishable from VIEW([P(Gk)
-
V'(Gk)]).
It will be useful to define several circuit families and probability distributions. For
simplicity in the following argument we will write
[p, g, Q, H, R,]
to mean
[p +- PRIMESk ,g <- GEN, Q +- Z>*, H &
+-
k, R +- {0,1}l,
Let {Ek} be the family of circuits which on input (T, p, g,
32
+
Q, H, R)
0, 1}]
does the fol-
lowing:
1. Run
' on input (p, g,
2. Select a7, 1 , ...
,
Q, H) and
random string
T
to obtain (Xi, Y), Si and xi.
k to be random elements of Z*.
3. Let Kf be the k-bit string whose
jth
bit is < R, X"'s >. Similarly, let K( be
the k-bit string whose Jth bit is < R, Yij,' >.
4. Let Ci = 0.
5. If Ci = Si run the simulator for Blum's protocol to get Mi and M2 and if
Ci 5 Si run the simulator for Blum's protocol to get Mi and Mj.
6. If Ci = 0 Construct Li by taking the XOR of Mi sCi and F(Kj) and construct
L' to be F(Kf). If Ci
1 Construct Li to be F(K ) and construct L' by
taking the XOR of Mf" Si and F(Kf).
7. Let Aij = ga'it
mod p and output (Mi, Aj, 1 ,...
, Ai,k,
Li, L').
Let {f'} be the family of circuits which on input (T, p, g, Q, H, R) does the following: (Note that the Hamiltonian cycle for
1. Run
Gk
can be hardwired into IP)
' on input (p, g, Q, H) and random string
T
to obtain (Xi, Y), Si and xi.
2. Select a, 1 ,. ... , aik to be random elements of Z*.
3. Let K
be the k-bit string whose
the k-bit string whose
jth
jth
bit is < R, Xc",' >. Similarly, let K( be
bit is < R, Yi"i >.
4. Use the Hamiltonian Cycle in Gk to obtain N-, NP and N .
5. if Si = 0 then Construct Li by taking the XOR of N2 with F(K ) and construct
L' by taking the XOR of Nil with F(K'). If Si = 1 then Construct Li by taking
the XOR of N.1 with F(K ) and construct L' by taking the XOR of Ni" with
F(Kf ).
6. Let Ai
=
mod p and output (Ni, Ai, 1 , ... , Ai,k, Li, L').
33
Let {bV} be the family of circuits which on input
lowing: (Note that the Hamiltonian cycle for
Gk
(T,
p, g, Q, H, R) does the fol-
can be hardwired into 4I)
1. Run V' on input (p, g, Q, H) and random string
T
to obtain (Xi, Y), Si and xi.
2. Select ai,, . . . , aO,k to be random elements of Z*.
3. Let K
be the k-bit string whose jth bit is < R, X>"'j >. Similarly, let Kf be
the k-bit string whose
jth
bit is < R, Yi"
>
4. Let Ci = 0.
5. If Ci = Si use the Hamiltonian cycle in
use the Hamiltonian cycle in
Gk
Gk
to obtain Ni and N2 and if Ci # Si
to obtain Ni and Nj.
6. If Ci = 0 Construct Li by taking the XOR of Nsisci and F(K-) and construct
L' to be F(K'). If Ci = 1 Construct Li to be F(K ) and construct L' by
taking the XOR of N'c'-s' and F(K').
7. Let Aij = g'ia mod p and output (Mi, Ai, 1 , . . . , A7,i, Li, L').
Let {Q} be the family of circuits which on input
(T,
p, g, Q, H, R) does the fol-
lowing: (Note that the Hamiltonian cycle for Gk can be hardwired into Q4)
1. Run V' on input (p, g, Q, H) and random string
T
to obtain (Xi, Y), Si and xi.
2. Select czi, ... , a,k to be random elements of Z*.
3. Let K
be the k-bit string whose th bit is < R, X"
>.
4. Let Ci = 0.
5. If C = Si use the Hamiltonian cycle in Gk to obtain N and N? and if Ci = Si
use the Hamiltonian cycle in Gk to obtain Ni and Nj.
6. If Ci = 0 Construct Li by taking the XOR of Ns'-c' and F(K ) and let L' be
uniformly chosen from {0, 1}f(k).
7. Let Ai,
= g'ii mod p and output (Mi, Aj, 1 , . . , Ai,k, Li, L').
34
Let Y be the distribution
[p, g, Q, H, R,
,g
I
T, Ei,
,H
(TpgQHR
,g
ir
)
,H
)
I-".7 (T p g Q H, R))
ir
,g
,H
)
Let o-j be the distribution [p, g, Q, R, T, H, E9J(,p, g, Q, H, R)].
Let 7j be the distribution [p, g, Q, R, T, H,HI,(Tp,g, Q, H, R)].
Let qj be the distribution [p, g, Q, R, r, H, 4I(T, p, g,
Let wj be the distribution [p, g, Q, R, T, H,
Q, H, R)].
(Tp,g,Q,H,R)].
Lemma 1 If there exists an infinite sequence of graphs, Gk such that SvI(Gk) is
computationally distinguishablefrom VIEW([P(Gk) ++ V'(Gk)]) then there exists an
1 such that either #1is computationally distinguishablefrom 1 or 1 is computationally
distinguishablefrom
Proof
(TI.
It is clear from definition that Sv,(Gk) is Yk and that VIEW([P(G)
+
V'(G)]) is Yo. So Yk is computationally distinguishable from Y and therefore there
exists some 1 such that Y_1 is computationally distinguishable from Y. For this 1, it
is easy to see that o, is distinguishable from 7r,
Since a, is computationally distinguishable from 7r,, then either q1 is computationally distinguishable from or, or
Lemma 2 For all 1,
Proof
#1is
#1 is
computationally distinguishable from 7rj. l
computationally indistinguishablefrom oa.
To derive a contradiction, we assume that there exists an 1 and a polynomial
size family of distinguishers {D1k} which distinguish q1 and or. We now contradict
the fact that Blum's protocol is zero-knowledge by constructing a family of malicious
verifiers {Ek} and a family of distinguishers {D1'} such that {D1'} distinguishes an
interaction of Ek with the Blum simulator from a view of an interaction of Ek with
the Blum honest prover for the infinite family of graphs {Gk}.
Let Ek be the verifier who on any input and random string p does the following:
35
1. Parse the random string, p, as (T,p, g, Q, H, R) where
{0, I}k,
-r
is a random element of
p is a random k-bit prime, g is a random generator of Z*,
Q is
a random
element of Z* H is randomly chosen from Hk and R is a random element of
{0, I}.
Q, H) and random
2. Run V' on input (p, g,
3. If gxl mod p = X, and S, = 0 or gx
string T to obtain X 1 , Si and xi.
1 then output 0,
mod p 7 X, and S,
otherwise output 1.
Let D1' be the circuit which on input (p, v, v') does the following:
1. Parse p into (, p, g, Q, H, R) in the same manner as Ek would.
2. Run V' on input (p, g, Q, H) and random string T to obtain (Xj, Y,), S, and xj.
3. Select
..
,1,..
, alk to be random elements of Z*.
4. Let Kx be the k-bit string whose
jth
bit is < R, Xa"'' >. Similarly, let K' be
the k-bit string whose jth bit is < R, Ya
~
>
5. Let C = 0.
6. If C, = 0 Construct L, by taking the XOR of v' and F(K)
to be F(K,). If C,
and construct L'
1 Construct L, to be F(Kx) and construct L' by taking
the XOR of v' and F(K').
7. Let Ai, = gali mod p
8. Run Dlk on input (p, g, Q, R, TH, (v, A, 1 , ...., Ajk, L, L))
Observe that if (p, v, v') is a random output of the Blum Simulator for Ek then
D1' outputs Dlk applied to a random element from a, and if (p, v, v') is the view of
a random interaction between Ek and the Blum honest prover then D1', outputs Dlk
applied to a random element of
Blum Simulator for
Ek
#1. Therefore,
D1' distinguishes the output of the
from an interaction between
Ek
and the honest Blum prover.
This contradicts the fact that Blum's protocol is zero-knowledge.
36
l
Lemma 3 Let SEL = {SELk} be a polynomial-size family of circuits which take as
input a prime, p, a generator, g, of ZP* and a element
Q
of ZP* and outputs a pair
{SOLk} be a polynomial-size family of circuits which takes as
(x,aux). Let SOL
input a triple as input and outputs a number. Then for all c and all sufficiently large
k
Pr[p +- PRIMESk; g +- GENp; q +- Z;
Q +-
g7;
(x, aux) +- SELk(pg, Q); b - Z*; ans +- SOLk(Qgx gb, aux) : ans - g(q-x)b] <1
Proof
To derive a contradiction we assume that there exist circuit families SEL
and SOL and some integer c such that for all sufficiently large k,
Pr[p <- PRIMES; g +- GENp; q +- Z*; Q +- gq;
(x,aux) +- SELk (p,g,Q); b +- Z*; ans - SOLk(Qg
We know consider the family of circuits I =
X
{Ik}
gbaux) : ans - g(q-x)b]
1
which on input a prime, p, a
generator g of Z* and elements ga and gb of Z* does the following:
1. Let (x, aux) be the output of SELk on input (p, g,ga).
2. Let ans be the output of SOLk on input (ga-x, gb, aux).
3. Output ans(gb)x
Observe that
Pr[p <- PRIMESk; g
=
Pr[p
-GEN;
x +- Z*; y-Z*;a<Ik(p7ggg:a=gY]
-PRIMESk;
(x, aux) +- SELk(p g,Q); b
+-
Z*; ans
g +- GEN; q <-Z*; Q <- SOLk(Qg
This contradicts the Diffie-Hellman assumption.
37
l
gq;
, gbaux) : ans = g(q-x)b] >
Lemma 4 For all 1, q1 is computationally indistinguishablefrom 7r,.
Proof
To derive a contradiction we assume that there exists an 1 such that q1 is
computationally distinguishable from r1 . It follows that either w, is computationally
distinguishable from 7r, or w, is computationally distinguishable from q1. We derive
a contradiction for the case where 7r, and w, are distinguishable. The proof that the
other case yields a contradiction is identical except for a small difference which we
will note when we reach it.
Let {Bk} be the family of circuits which on input (T, p, g, Q, H, R) does the fol-
lowing:
1. Run V' on input (p, g, Q, H) and random string T to obtain (Xi, Yi).
2. Select
,. . .
, a,k to be random elements of Z*.
3. Let KY be the k-bit string whose
4. Let Ajj = g0 1i
Let
jth
bit is < R, Yc"j >.
mod p and output (A,, 1 , ... , Alk, F(K ))
be the family of circuits which on input (T, p, g,
{P'k}
Q, H, R)
does the fol-
lowing:
1. Run V' on input (p, g, Q, H) and random string T to obtain (Xi, Y).
2. Select
0
z,1, . . . , al,k to be random elements of Z*.
3. Let KY be the k-bit string whose j'h bit is < R, Y
4. Let Ai, 3 = galJ mod p and output (A, 1, ...
, A1,1
>.
KY)
Since a) and 7r, are computationally distinguishable, there exists a family of circuits
{D2k}
that distinguish w, and
'r1.
which distinguish [p, g, Q, H, R,
We now construct a family of distinguishers {D2' }
T, Bk(p, g,
Q, H, R)] and [p, g, Q, H, R, T, A, 1 <- Z,*, ...
Z*, {0, 1}f(k)]
Let {D2' } be the circuit which on input (p, g,
following: (Note that the Hamiltonian cycle for
38
Q, H, R, T,
Gk
A, 1, .... , Alk, p) does the
can be hardwired into D2')
A,k*
1. Run V' on input (p, g,
Q, H) and
random string T to obtain (Xj, Y1), S and xj.
2. Let Kx be the k-bit string whose jth bit is < R, A
>.
3. Use the Hamiltonian Cycle in Gk to obtain N, N' and N 1 .
4. if S, = 0 then Construct L, by taking the XOR of N 0 with F(Kx) and construct
L' by taking the XOR of N1 with 1. If S = 1 then Construct L, by taking the
XOR of N' with F(KX) and construct L' by taking the XOR of No with 1u.
5. Run D2k on (p, g,
Q, H, R, T, N, (A,
, ....
1
Observe that if (p, g, Q, H, R, T, A 1,1 ,...
, Ai,k,
P) is taken
A,
,
L1, L')) and output the result.
from [p, g, Q, H, R, T, Bk(p, g, Q, H, R)
then D2' outputs D2k applied a random element of wr and if (p, g,
is taken from [p, g,
Q, H, R,
T,
to a random element of w1 . Therefore, [p, g,
means that [p, g,
A, 1,... , A
Q, H, R, T,
Bk(p, g,
Q, H, R)]
and [p, g, Q, H, R, r, A, 1, ...
Since F is a pseudorandom generator, this
Q, H, R, T, Fk (p, g, Q, H, R)]
and [p, g,
Q, H, R, T, A,, 1, . . .
,
Ai
{0, 1}f(k)].
5
Let {k} be the family of circuits which on input (T, p, g, Q, H, R) does the following:
1. Run V' on input (p, g,
Q, H) and
random string T to obtain (Xi, Y1).
2. Randomly select a E Z* and let A = gc mod p.
3. Output A, < R, Ya >.
Observe that for the output distribution of
distribution of
k*
~i)
{0, 1}f(k)] then D2' outputs D2k applied
A1,1, ... , A
are computationally distinguishable.
Q, H, R, T,
1
k
is equal to k copies of the output
(When both circuits have inputs drawn from [p, g,
Q, H, R, T]).
'If we were in the case where q and w were distinguishable instead of 7r and w then here we would
let L' be p (regardless of what S, is).
5We
know that F(KX) is distinguishable from uniform with the help of
We know that since F is a pseudorandom generator its output
p, g, Q, H, R, T),A, 1 ,... , AI,k.
is indistinguishable from uniform if its input is indistinguishable from uniform. Therefore we
conclude that we distinguish Kx from uniform with the help of p, g, Q, H, R, 7, A, 1,. .. ,Alk.
39
A standard hybrid argument yields that if k copies of
7k(P, g,
Q, H, R, T) are distin-
guishable from k copies of [A +- Z*, {O, 1}] with the help of p, g,
one copy of
Ek(p, g,
Q, H, R, T)
Q, H, R and
then
T,
is distinguishable from one copy of [A +- Z, {, 1}]
with the help of p, g, Q, H, R and T. That is, [p, g, Q, H, R, ,k(p,
g, Q, H, R,T)] is
distinguishable from [p, g, Q, H, R, T, A -- Z*, {0, 1}]. This means that there exists a
family of circuits which when given random p, g,
Q, H, R, T
and g' guess < R, Yj' >
with some polynomial advantage. Therefore, we can invoke Goldreich-Levin to show
that there exists a family of circuits algorithm, G = {Gk}, which when given random
p, g, Q, H, T and g0 output Ya with probability - for some integer d.
We now show that this violates Lemma 3 by constructing a pair of circuit families
SEL and SOL and an integer c such that for infinitely many k,
Pr[p +- PRIMESk; g
+-
GENp; q +- ZP*; Q <- gq;
(x, aux) +- SEL(p, g, Q); b +- Z*; ans <- SOL(Qg--, gb, aux) : ans = g(q-x)b> 1
-kc
Let {SELk} be the family of circuits which on input (p, g, Q) does the following:
1. Randomly choose H from Hk and randomly choose r from {0, 1 }k.
2. Run V' on input (p, g, Q, H) and random string
T
to obtain X, and xj.
3. Let aux = (H, T) and output (xi, aux).
Let {SOLk} be the family of circuits which on input (Qg-x,
gb,
(H, T)) does the
following:
1. Run Ik on input p, g,
Q, H, T
and gb and output the result.
We know that except with negligible probability, Y = Qg-x. When Y =
SOL will output
g(q-x)b
Qg-1,
with probability at least !. Therefore, there exists a c such
that will output g(q-x)b with probability at least kc. f
That the protocol is zero-knowledge is a straightforward consequence of Lemmas
1, 2 and 4
40
Chapter 6
Conclusion
We have provided a 3-round zero-knowledge proof system for any language in NP.
From Goldreich and Oren we know that 3 rounds is minimal unless BPP = NP.
However, it is unclear whether our proof of knowledge assumption is reasonable. It
would be desirable to create a 3-round zero-knowledge proof system which relies on
more standard assumptions but it is not clear whether this is possible. In fact, it
is not even clear whether non-black-box zero-knowledge protocols (of any number of
rounds) can be achieved using standard assumptions.
If non-standard assumptions are necessary to achieve zero-knowledge in three
rounds, we feel that proofs of knowledge provide a useful framework for formulating
those assumptions. Our protocol is based on a proof of knowledge for the discrete
logarithm of one of a pair of numbers. However, it is likely that similar protocols can
be created using assumptions based on different proofs of knowledge (like a proof of
knowledge of one of the square roots of a quadratic residue).
41
42
Bibliography
[1] E. Bach. how to generate factored random numbers. Siam Journal of Computing,
17, 1988.
[2] Boaz Barak. How to go beyond the black-box simulation barrier. In Proceedings
of the 42nd FOCS, 2001.
[3] Mihir Bellare and Silvio Micali. Non-interactive oblivious transfer and applications. In Proceedings of Crypto'89, 1989.
[4] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudorandom number
generator. Siam Journal of Computing, 15(2), 1986.
[5] Manuel Blum. How to prove a theorem so no one else can claim it. In Proceedings
of the InternationalCongress of Mathematicians, 1986.
[6] Manuel Blum and Silvio Micali. how to generate cryptographically strong sequences of psuedo-random bits. Siam Journal of Computing, 13(4), 1984.
[7] G. Brassard, D. Chaum, and C. Crepeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2), 1988.
[8] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology,
revisited. In Proc. of the 30th STOC, 1998.
[9] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, IT-22(6), 1976.
43
[10] U. Feige and A. Shamir. Zero knowledge proofs of knowledge in two rounds. In
Proceedings of Crypto'89, 1989.
[11] M. Fischer, S. Micali, and C. Rackoff. A secure protocol for the oblivious transfer.
In Proceedings of Eurocrypt'84, 1984.
[12] 0. Goldreich and H. Krawczyk. On the composition of zero-knowledge proof
systems. SIAM Journal of Computing, 25(1), 1996.
[13] 0. Goldreich and Y. Oren. Definitions and properties of zero-knowledge proof
systems. Journal of Cryptology, 6(3-4), 1993.
How to construct constant-round zero-
[14] Oded Goldreich and Ariel Kahan.
knowledge proof systems for np. Journal of Cryptology, 9(3), 1996.
[15] Oded Goldreich and Leonid Levin. A hard-core predicate to any one-way function. In Proceedings of the 21st STOC, 1989.
[16] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing
but their validity or all languages in np have zero-knowledge proofs. Journal of
the ACM, 38(3), 1991.
[17] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Science, 28(2), 1984.
[18] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity
of interactive proof systems. SIAM Journal of Computing, 18(1), 1989.
[19] Satoshi Hada and Toshiaki Tanaka. On the existence of 3-round zero-knowledge
protocols. In Proceedings of Crypto'98, 1998.
[20] Shai Halevi and Silvio Micali. Conservative proofs of knowledge. In To Appear,
2001.
[21] Silvio Micali Joe Kilian and Rafail Ostrovsky. Minimum resource zero-knowledge
proofs. In Proceedings of Crypto'89, 1989.
44
[22] Matthew Lepinski and Silvio Micali. On the existence of 3-round zero-knowledge
proofs. Technical Report MIT-LCS-TM-616, MIT, April 2001.
[23] Victor Shoup. lower bounds for discrete logarithms and related problems. In
Proceedings of Eurocrypt'97, 1997.
[24] M. Tompa and H. Woll. random self-reducibility and zero-knowledge interactive
proofs of possession of information. In Proceedings of the 28th FOCS, 1987.
[25] A.C. Yao. Theory and application of trapdoor functions. In Proceedings of the
23rd FOCS, 1982.
45
