TCS: Interactive Proofs and Zero-Knowledge

Interactive Proofs and Zero-Knowledge

Interactive Proofs

Interactive Proof Verification

Interactive proof system allows prover PP and verifier VV to exchange messages before stopping. We restrict VV to be PPT while the probabilitic is necessary otherwise this system is NP\text{NP} as PP is stronger than VV.

Problem AA is in IP\text{IP} if there is a pair of interactive algorithms (P,V)(P, V), with VV running in probabilistic polynomial time in the length of input xx, such that

  1. (Completeness). If xAx\in A, then P(P,V(x)=1)=1P(\langle P, V\rangle(x) = 1) = 1.
  2. (Soundness). If xAx\notin A, then for any possibly dishonest PP^{*}, we have P(P,V(x)=1)12P(\langle P, V\rangle(x) = 1) \leq \frac{1}{2}.
    (P,V)(P, V) satisfying above is called a proof system for AA. We say AIP[]A\in\text{IP}[\ell] if it has a proof system using =(x)\ell = \ell(|x|) times of message exchanges (number of messages, not rounds!).

We have that: BPPIP[1]\text{BPP} \subseteq \text{IP}[1]

Concretely, we consider two problem GRAPH-ISO\text{GRAPH-ISO}(图同构问题) and GRAPH-NONISO\text{GRAPH-NONISO}. Easily, GRAPH-ISONP\text{GRAPH-ISO}\in \text{NP} since we can choose the isomorphic permutation π\pi as witness. Besides, we have GRAPH-NONISOIP\text{GRAPH-NONISO}\in \text{IP}.

The GNI protocol is:

  1. VV samples a random b{0,1}b\in\{0, 1\} and a random permutation π\pi, send π(Gb)\pi(G_{b}) to PP
  2. PP returns an bit bb' to VV and VV accepts iff b=bb' = b

As PP is all-know, it must have the ability to distinguish bb if G0≁G1G_{0} \not\sim G_{1}. But it can just guess arbitarily if they are isomorphic.

Merlin-Arthur (Public-Coin) Protocols (Skip)

A Merlin-Arthur protocol is an interactive proof system where the verifier (Arthur) messages are public random coin flips.

A really simple VV!

Let AM[]\text{AM}[\ell] to be the Merlin-Arthur protocol with (x)\ell(|x|) messages. Consider MA=AM[1]\text{MA} = \text{AM}[1] and AM=AM[2]\text{AM} = \text{AM}[2]

Though it seems week, but we have:

Goldwasser-Sipser theorem: \forall \ell, IP[]AM[+2]\text{IP}[\ell]\subseteq\text{AM}[\ell + 2]

Define a set:

S={(H,π)πAut(H),HG0 or HG1}S = \{(H, \pi) \,|\, \pi\in\text{Aut}(H), H\sim G_{0} \text{ or } H\sim G_{1} \}

Aut(H)\text{Aut}(H) represents the automorphism permutation multiplicity. So we have:

S={n!G0G12n!otherwise|S| = \begin{cases} n! & G_{0} \sim G_{1} \\ 2n! & \text{otherwise} \end{cases}

So the GRAPH-NONISO\text{GRAPH-NONISO} is transformed into confirming S|S|
Let H\mathcal{H} be a pairwise independent hash family with U={0,1}mU = \{0, 1\}^{m} and R={0,1}kR = \{0, 1\}^{k} where k<mk < m.
Then the protocol is:

TODO

More facts

  1. IP=PSPACE\text{IP} = \text{PSPACE}
  2. IP[]=AM[]=AM\text{IP}[\ell] = \text{AM}[\ell] = \text{AM} for all constant 2\ell \geq 2
  3. AM=MA=IP\text{AM} = \text{MA} = \text{IP} if we allow completeness error

Coin Flipping and Commitment

We want a protocol where Alice and Bob talk to each other and then decide some important thing on the outcome R(a,b)R(a, b) of the coin flip and it makes sure that the result is not biased even if one of them is cheating (malicious). This means:

P(R=0)12+negl(n)P(R=1)12+negl(n)\begin{align*} P(R = 0) &\leq \frac{1}{2} + \text{negl}(n) \\ P(R = 1) &\leq \frac{1}{2} + \text{negl}(n) \end{align*}

So we need something to hide aa which filped by Alice to Bob to avoid bias.

Bit Commitment

The commitment scheme is a protocol consisting of the commit phase and reveal phase.

A PPT protocol Com\text{Com} is a (computationally hiding and statistically binding) commitment scheme if:

  1. Hiding: x0x1\forall\, x_{0}\neq x_{1}, Com(x0)cCom(x1)\text{Com}(x_{0})\approx_{c}\text{Com}(x_{1}).
  2. Binding: The probability that Alice can open Com(x0)\text{Com}(x_{0}) to x1x_{1} with x1x0x_{1}\neq x_{0} is negligible.

In this c\approx_{c} means that one cannot distinguish both is polynomial time.

Intuitively, this definition means Bob(recevier) can hardly verify x0x_{0} or x1x_{1} and Alice(sender) can almost always verify them.

Coin Flipping from Bit Commitment

The safe protocol is as follows:

  1. Alice send Com(a)\text{Com}(a) to Bob with a random aa
  2. Bob sends bb to Alice
  3. Alice opens Com(a)\text{Com}(a)
  4. Set R=abR = a \oplus b

Bit Commitment From PRG (Naor’s Construction)

Assume GG is a PRG with (n)=3n\ell(n) = 3n

In the commit phase:

  1. The receiver sends x{0,1}3nx\in\{0, 1\}^{3n};
  2. The sender samples m{0,1}m\in\{0, 1\}, z{0,1}nz\in\{0, 1\}^{n} and sends y=G(z)xmy = G(z)\oplus x^{m};

In the reveal phase:

The sender sends zz and mm.

Zero-Knowledge Proofs

Definition at first is as follows, in which view\text{view} contains the transcript of the interaction(all messages and their probabilities) and local information.

An interactive protocol (P,V)(P, V) is perfect (statistical or computational) ZK for AA if, \forall PPT VV^{*}, there exists a PPT simulator SS such that xA\forall\, x\in A, the following two distributions are the same:

  1. viewVP,V(x)\text{view}_{V^{*}}\langle P, V^{*}\rangle(x)
  2. S(x)S(x)

We have GRAPH-ISOPZK\text{GRAPH-ISO} \in \text{PZK}. The protocol is as follows:

  1. PP samples a random permutation π\pi and sends G=π(G0)G = \pi(G_{0}) to VV
  2. VV samples a random b{0,1}b\in\{0, 1\} and sends it to PP
  3. PP responds with a proof that GGbG\sim G_{b} with the permutation πσb\pi\circ\sigma^{b}

simulator and rewind

To prove this protocol is what we want, we need to prove its completeness, soundness and ZK. The first two are easy to argue, the ZK need a simulator and we generates it as follows:

  1. Choose aa uniformly at random.
  2. Sample a random permutation π\pi and compute G=π(Ga)G = \pi(G_{a}).
  3. Randomly sample rr and simulate VV^{*} with random tape content rr.
  4. If VV^{*} sends b=ab = a, outputs (G,π)(G, \pi) as the message and the random tape rr as the internal randomness of VV^{*}.
  5. If VV^{*} sends bab\neq a, rewind and start from the beginning.

ZK Proofs for NP

We have:

(Goldreich-Micali-Wigderson). If statistically binding commitments exist, then there exists a zero-knowledge proof system for 3-COLORING\text{3-COLORING}

The protocol is:

  1. PP samples random permutation π:{0,1,2}{0,1,2}\pi: \{0, 1, 2\}\to \{0, 1, 2\}.
  2. PP sends {Com(π(ϕ(v)))vV}\{\text{Com}(\pi(\phi(v))) \,|\, v\in V\}
  3. VV samples a random edge (u,v)E(u, v)\gets E and sends it to PP
  4. PP opens the commitment cuc_{u} and cvc_{v}
  5. VV checks if π(ϕ(u)),π(ϕ(v)){0,1,2}\pi(\phi(u)), \pi(\phi(v))\in\{0, 1, 2\} and π(ϕ(u))π(ϕ(v))\pi(\phi(u)) \neq \pi(\phi(v))

In this, ϕ\phi is a coloring scheme

许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。