ZKP and MPC 3

发表于 2023-10-16 更新于 2023-10-27 分类于课程笔记，零知识证明和多方安全计算阅读次数： 20 本文字数： 1.4k 阅读时长 ≈ 5 分钟

[2023 秋] 零知识证明与多方安全计算第三课课堂笔记 / [2023 Fall] Zero-Knowledge Proof and Secure Multi-Party Computation Lecture 3 Notes

Lec02 Zero-Knowledge Proof under Composition

2.3 Sequential Composition

$V^{*}$ : should be viewed as a black box , input $(i n p u t, r a n d o m n e s s, m e s s a g e s)$ , output response

If guess wrong at $m_{i}$ , we can rewind $V^{*}$ to the time when it receives $m_{i}$ , using the same input , randomness , first $i - 1$ messages

Def [ Zero-Knowledge Proof with Auxiliary Input ] :

$(P, V)$ is an interactive zero-knowledge proof with auxiliary input for $L$ if
- $V$ is an efficient algorithm ( poly-time )
- Completeness : $\forall x \in L, \forall y, z \in {0, 1}^{*}$ $Pr {⟨ P (y), V (z) ⟩ (x) = 1} = 1$
- Soundness with error $ϵ$ : $\forall x \notin L, \forall y, z \in {0, 1}^{*}$ $\forall P^{*}, Pr {⟨ P^{*} (y), V (z) ⟩ (x) = 1} < ϵ$
- Zero-Knowledge : $\forall V^{*}$ in P.P.T. , $\exists$ expected poly-time algorithm $M^{*}$ , $\forall x \in L, \forall y, z \in {0, 1}^{*}$ , $M^{*} (x, z) \sim V i e w_{V^{*} (z)}^{P (y)} (x)$
$y$ is indeed redundant since $P$ is not computationally bounded

Alternating Form of Zero-Knowledge : $\forall V^{*}, \exists M^{*}, \forall x \in L, \forall y, z \in {0, 1}^{*}$ $M^{*} (x, z) \sim ⟨ P (y), V^{*} (z) ⟩ (x)$
Lemma [ Composition Lemma ] :

$(P, V)$ : zero-knowledge proof with auxiliary input for $L$ , $q$ is a polynomial of $κ$

$(P_{q}, V_{q})$ : An IP runs $(P, V)$ $q$ times

Claim : $(P_{q}, V_{q})$ are still zero-knowledge .
Proof of Composition Lemma

Only Proof for perfect zero-knowledge

Using Alternating Form of Zero-Knowledge

Construction
1. $M^{*}$ inputs $(x, z)$ , $s t_{0} = \emptyset$ .
2. For $i = 1, 2, \dots q$ :
  1. Construct $V_{i}^{*}$ : $V_{i}^{*} (x, s t_{i - 1}, z) = {\begin{cases} V^{*} (x, z) & i = 1 \\ V^{*} (s t_{i - 1}) & i \geq 2 \end{cases}$ , output state of $V^{*}$ as $s t_{i}$
    
    Note : for $i \geq 2$ , $x, z$ are contained in $s t_{i - 1}$ , so we do not need to input them.
  2. By zero-knowledge , $\exists M_{i}^{*} (x, s t_{i - 1} | z)$ that can simulate the output of $V_{i}^{*}$ .
  3. $M^{*}$ runs $M_{i}^{*} (x, s t_{i - 1} | z)$ to obtain $s t_{i}$ .
3. $M^{*}$ invokes $V^{*}$ with $s t_{q}$ to obtain final output.
Proof of $M^{*} (x, z) \equiv ⟨ P (y), V^{*} (z) ⟩ (x)$
1. $H y b_{0}$ : Real Execution $⟨ P (y), V^{*} (z) ⟩ (x)$
2. $H y b_{1}$ :
  1. Run $P (y)$ and $V^{*} (z)$ until the last phase .
  2. Record the state of $V^{*}$ as $s t_{q - 1}$ .
  3. Invoke $M_{q}^{*} (x, s t_{q - 1} | z)$ to obtain $s t_{q}$ .
  4. Invoke $V^{*}$ with $s t_{q}$ to obtain final output .
  Proof of $H y b_{0} \equiv H y b_{1}$ :
  
  Fix state $s t_{q - 1}$ . For $H y b_{0}$ , its distribution is the same as
  1. Run $V_{q}^{*} (x, s t_{q - 1}, z)$ to obtain $s t_{q}$
  2. Run $V^{*}$ with $s t_{q}$ to obtain final output
  By zk , given $x, s t_{q - 1}, z$ , $V_{q}^{*} (x, s t_{q - 1}, z) \equiv M_{q}^{*} (x, s t_{q - 1} | z)$ .
  
  Therefore , $H y b_{0} \equiv H y b_{1}$ .
3. $H y b_{i}$ : Change to $M^{*}$ after the first $q - i$ phases
  
  $H y b_{i - 1}$ : using $V_{q - i + 1}^{*}$ , $H y b_{i}$ : using $M_{q - i + 1}^{*}$
  
  Therefore , $H y b_{i - 1} \equiv H y b_{i}$
4. $H y b_{q + 1}$ : The execution of $M^{*}$ .

Lec03 Commitment Scheme , zk-proof for general NP

3.0 Important

In the next lecture , we re-defined commitment in a more simple way .

3.1 Commitment

Intuition :

Binding : make some choice , then won't change it . (change will be rejected)

Hiding : like "safe" , until open it , not knowing the choice . (uniform distribution)

Def [ Commitment ] : Three P.P.T. algorithms
- $G e n (1^{κ}) \to p p$ ( public parameter )
- $C o m m i t_{p p} (m, r) \to (c, a u x)$
- $V e r i f y_{p p} (m, c, a u x) \to {A c c e p t, R e j e c t}$
Satisfying properties :
- Hiding : $\forall m, m^{'}$ , the following distributions are identical/statistically indistinguishable/computationally indistinguishable
$D i s t {p p \leftarrow G e n (1^{κ}), (c, a u x) \leftarrow C o m m i t_{p p} (m, r) : (p p, c)}$

$D i s t {p p \leftarrow G e n (1^{κ}), (c, a u x) \leftarrow C o m m i t_{p p} (m^{'}, r) : (p p, c)}$
- Binding : $\forall m \neq m^{'}$ , $\forall p p \leftarrow G e n (1^{κ})$ ,
  
  Perfect Binding : ${c | (c, a u x) \leftarrow C o m m i t_{p p} (m, r)} \cap {c | (c, a u x) \leftarrow C o m m i t_{p p} (m^{'}, r)} = \emptyset$ Computationally Binding : $\forall P^{*}$ in P.P.T.

$Pr {p p \leftarrow G e n (1^{κ}), (c, m, a u x, m^{'}, a u x^{'}) \leftarrow P^{*} (p p) : V e r i f y_{p p} (c, m, a u x) = V e r i f y (c, m^{'}, a u x^{'}) = A c c e p t} < ϵ$

Open Commitment ( implement $V e r i f y_{p p}$ )

One general way : let $a u x = r$

Verify checks whether $(c, a u x) = C o m m i t_{p p} (m, r = a u x)$

There exists faster Verify for some specific problems.
Note : hiding and binding are incompatible

hiding : $c$ can from different $m$

binding : $c$ cannot from different $m$

3.2 Perfect Binding & Computationally Hiding Commitment

DDH assumption

$G = ⟨ g ⟩$ , $| g | = p$ , $p \sim κ$ , The following distributions are computationally indistinguishable $D i s t {a, b \leftarrow Z_{p} : (g, g^{a}, g^{b}, g^{a b})}$

$D i s t {a, b, c \leftarrow Z_{p} : (g, g^{a}, g^{b}, g^{c})}$
Construction

Suppose that $m \in G$ $G e n (1^{κ}) \to (G, p, g)$

$C o m m i t_{p p} (m, (a, b)) \to c = (g^{a}, g^{b}, m g^{a b}), a u x = (a, b)$

$V e r i f y_{p p} (c, m, a u x) : check c_{1} = g^{a} \land c_{2} = g^{b} \land c_{3} = g^{a b}$
Perfect Binding

For $c = (c_{1}, c_{2}, c_{3})$ , $\exists$ unique $a, b$ , s.t. $c_{1} = g^{a}, c_{2} = g^{b}$ .

Therefore , $m = \frac{c_{3}}{g^{a b}}$ , which is uniquely determined
Computationally Hiding [Prove by Hybrid Proof]

We want to prove that ${a, b \leftarrow Z_{p} : (g^{a}, g^{b}, m g^{a b})} \sim {a, b \leftarrow Z_{p} : (g^{a}, g^{b}, m^{'} g^{a b})}$
1. $H y b_{0}$ : $a, b \leftarrow Z_{p} : (g^{a}, g^{b}, m g^{a b})$
2. $H y b_{1}$ : $a, b, c \leftarrow Z_{p} : (g^{a}, g^{b}, m g^{c})$
3. $H y b_{2}$ : $a, b, c \leftarrow Z_{p} : (g^{a}, g^{b}, m^{'} g^{c})$ \
4. $H y b_{3}$ : $a, b, c \leftarrow Z_{p} : (g^{a}, g^{b}, m^{'} g^{a b})$
$H y b_{0} \sim H y b_{1} \equiv H y b_{2} \sim H y b_{3}$

3.3 Computationally Binding & Perfect Hiding Commitment

Discrete Log Assumption

$G = ⟨ g ⟩$ , $| g | = p$ . $\forall A$ in P.P.T. , $Pr {a \leftarrow Z_{p} : A (G, p, g, g^{a}) = a} < ϵ$
Construction

Suppose that $m \in Z_{p}$ $G e n (1^{κ}) \to (G, p, g, h = g^{a})$ $a \leftarrow Z_{p}$ , and we need to "forget" $a$ . $C o m m i t_{p p} (m, r) : r \leftarrow Z_{p}, c = g^{r} h^{m}, a u x = r$

$V e r i f y_{p p} (c, m, a u x) : check c = g^{a u x} h^{m}$
Perfect Hiding

$c = g^{r} h^{m}$ , which is the same distribution as $g^{r}$ , since $r$ is random .
Computationally Binding

Suppose that we have P.P.T. $A$ that $A (G, p, g, h) \to (c, m, a u x, m^{'}, a u x^{'})$ , s.t. $c = g^{a u x} h^{m} = g^{a u x^{'}} h^{m^{'}}$ Therefore : $a u x + a m = a u x^{'} + a m^{'}$ Therefore : $a = \frac{a u x - a u x^{'}}{m^{'} - m}$ which contradicts with Discrete Log assumption
How to generate $h = g^{a}$
- Generate by Sender ? NO
  
  knows $a$ , then $c = g^{r + a m}$ . Sender can choose proper $r$ to reconstruct $m$ .
- Generate by Receiver ? YES
  
  knows $a$ not affect hiding
perfect binding + computationally hiding : Sender runs Gen

computationally binding + perfect hiding : Receiver runs Gen

3.4 General NP Problem

NP , NPC
1. Def [ NP ] : $L \in N P$ if $\exists$ poly-time algorithm $D$ ,
  
  $x \in L \Leftrightarrow \exists w, D (x, w) = 1$
  
  $w$ is called the proof .
2. Def [ NP-Complete ] : $L^{'} \in N P - C o m p l e t e$ if $\forall L \in N P$ , $\exists$ poly-time algorithm $Q$ , s.t.
  
  $Q (x, w) = (x^{'}, w^{'})$ , and $x \in L \equiv x^{'} \in L^{'}$ .
  
  i.e. all NP problems can be poly-reducible to NP-Complete Problem

Graph Hamiltonicity

Def [ Hamiltonian ] : A graph $G$ is Hamiltonian , if there exists a cycle visiting each node exactly once.

Construct zk-proof for Graph Hamiltonicity

Like GI :

Step 1 : send $\tilde{G}$ , where $G \sim \tilde{G}$

Step 2 : give a cycle of $\tilde{G}$ to prove its Hamiltonian

Traditional ways : we cannot realize both
Protocol with commitment

Commitment of a graph $G$ : $\forall i, j \in [n]$ , $(c_{i, j}, a u x_{i, j}) \leftarrow {\begin{cases} C o m m i t_{p p} (1, r) & (i, j) \in E \\ C o m m i t_{p p} (0, r) & (i, j) \notin E \end{cases}$

Prover		Verifier
$π \leftarrow S_{n}$ , $\tilde{G} := π (G)$
Commit $\tilde{G}$ :	--- $c_{i, j}$ -->
	<-- $b$ ---	$b \leftarrow {0, 1}$
If $b = 0$	--- $π, m_{i, j}, a u x_{i, j}$ -->	Checks $\tilde{G} = π (G)$
If $b = 1$	---cycle for $\tilde{G}$ , $m_{i, j}, a u x_{i, j}$ in cycle--->	Checks cycle and edges existence