diff --git a/pages/CSE442T/CSE442T_L23.md b/pages/CSE442T/CSE442T_L23.md index 9ef05c6..726da73 100644 --- a/pages/CSE442T/CSE442T_L23.md +++ b/pages/CSE442T/CSE442T_L23.md @@ -1 +1,123 @@ -# Lecture 23 \ No newline at end of file +# Lecture 23 + +## Zero-knowledge proofs + +Let the Prover Peggy and the Verifier Victor. + +Peggy wants to prove to Victor that she knows a secret $x$ without revealing anything about $x$. (e.g. $x$ such that $g^x=y\mod p$) + +### Zero-knowledge proofs protocol + +The protocol should satisfy the following properties: + +- **Completeness**: If Peggy knows $x$, she can always make Victor accept. +- **Soundness**: If a malicious Prover $P^*$ does not know $x$, then $V$ accepts with probability at most $\epsilon(n)$. +- **Zero-knowledge**: After the process, $V^*$ (possibly dishonest Verifier) knows no more about $x$ than he did before. + +[The interaction could have been faked without $P$] + +#### Example: Hair counting magician + +"Magician" who claims they can count the number of hairs on your head. + +secret info: the method of counting. + +Repeat the following process for $k$ times: + +1. "Magician" tells the number of hairs +2. You remove some hair $b\in \{0,1\}$ from your head. +3. "Magician" tells the number of hairs left. +4. Reject if the number of hairs is incorrect. Accept after $k$ times. (to our desired certainty) + +#### Definition + +Let $P$ and $V$ be two interactive Turing machines. + +Let $x$ be the shared input, $y$ be the secret knowledge, $z$ be the existing knowledge about $y$, with $r_1,r_2,\cdots,r_k$ being the random tapes. + +$V$ should output accept or reject after the interaction for $q$ times. + +```python +class P(TuringMachine): + """ + :param x: the shared input with V + :param y: auxiliary input (the secret knowledge) + :param z: auxiliary input (could be existing knowledge about y) + :param r_i: random message + """ + def run(self, x)->str: + """ + :return: the message to be sent to V $m_p$ + """ + +class V(TuringMachine): + """ + The verifier will output accept or reject after the interaction for $q$ times. + + :param x: the shared input with P + :param y: auxiliary input (the secret knowledge) + :param z: auxiliary input (could be existing knowledge about y) + :param r_i: random message + """ + def run(self, q: int)->bool: + """ + :param q: the number of rounds + :return: accept or reject + """ + for i in range(q): + m_v = V.run(i) + m_p = P.run(m_v) + if m_p!=m_v: + return False + return True +``` + +Let the transcript be the sequence of messages exchanged between $P$ and $V$. $\text{Transcript} = (m_1^p,m_1^v,m_2^p,m_2^v,\cdots,m_q^p,m_q^v)$. + +Define $(P,V)$ be the zero-knowledge proof protocol. For a **language** $L$, $(P,V)$ is a zero-knowledge proof for $L$ if: + +> Language $L$ is a set of pairs of isomorphic graphs (where two graphs are isomorphic if there exists a bijection between their vertices). + +- $(P,V)$ is complete for $L$: $\forall x\in L$, $\exists$ "witness" $y$ such that $\forall z\in \{0,1\}^n$, $Pr[out_v[P(x,y)\longleftrightarrow V(x,z)]=\text{accept}]=1$. +- $(P,V)$ is sound for $L$: $\forall x\notin L$, $\forall P^*$, $Pr[out_v[P^*(x)\longleftrightarrow V(x,z)]=\text{accept}]< \epsilon(n)$. +- $(P,V)$ is zero-knowledge for $L$: $\forall V^*$, $\exists$ p.p.t. simulator $S$ such that the following distributions are indistinguishable: + +$$ +\{\text{Transcript}[P(x,y)\leftrightarrow V^*(x,z)\mid x\in L,y\leftarrow \{0,1\}^n]\}\quad\text{and}\quad\{S(x,z)\mid x\notin L\}. +$$ + +*If these distributions are indistinguishable, then $V^*$ learns nothing from the interaction.* + +#### Example: Graph isomorphism + +Let $G_0$ and $G_1$ be two graphs. + +$V$ picks a random permutation $\pi\in S_n$ and sends $G_\pi$ to $P$. + +$P$ needs to determine if $G_\pi=G_0$ or $G_\pi=G_1$. + +If they are isomorphic, then $\exists$ permutation $\sigma:\{1,\cdots,n\}\rightarrow \{1,\cdots,n\}$ such that $G_0=\{(i,j)\mid (i,j)\in G_1\}$. + +Protocol: + +Shared input $\overline{x}=(G_0,G_1)$ witness $\overline{y}=\sigma$. Repeat the following process for $n$ times, where $n$ is the number of vertices. + +1. $P$ picks a random permutation $\pi\in \mathbb{P}_n$ and sends $G_\pi=\pi(G_0)$ to $V$. +2. $V$ picks a random $b\in \{0,1\}$ and sends $b$ to $P$. +3. If $b=1$, $P$ sends $\sigma=\pi^{-1}$ to $V$. +4. If $b=0$, $P$ sends $\sigma=\pi$ to $V$. +5. $V$ receives $\phi$ and checks if $b=0$ and $G_\sigma=\phi(G_0)$ or $b=1$ and $G_\sigma =\phi(G_1)$. Return accept if true. + +If they are not isomorphic, $P$ rejects with probability 1. + +If they are isomorphic, $P$ accepts with probability $\frac{1}{n!}$. + +Proof: + +- Completeness: If $G_0$ and $G_1$ are isomorphic, then $P$ can always find a permutation $\sigma$ such that $G_\sigma=G_0$ or $G_\sigma=G_1$. +- Soundness: + - If $P^*$ knows that $V$ was going to send $b=0$, then they will pick $\Pi$ and send $G=\Pi(G_0)$ to $V$. However, if we thought they would send $0$ but they sent $1$, then $G=\Pi(G_1)$ and they would reject. + - If $P^*$ knows that $V$ was going to send $b=1$, then they will pick $\Pi$ and send $G=\Pi(G_1)$ to $V$. However, if we thought they would send $1$ but they sent $0$, then $G=\Pi(G_0)$ and they would reject. + - The key is that $P^*$ can only response correctly with probability at most $\frac{1}{2}$ each time. + +Continue on the next lecture. (The key is that $P^*$ can only get a random permutation) diff --git a/pages/CSE442T/_meta.js b/pages/CSE442T/_meta.js index 0bd185d..890e9c4 100644 --- a/pages/CSE442T/_meta.js +++ b/pages/CSE442T/_meta.js @@ -26,9 +26,7 @@ export default { CSE442T_L20: "Lecture 20", CSE442T_L21: "Lecture 21", CSE442T_L22: "Lecture 22", - CSE442T_L23: { - display: 'hidden' - }, + CSE442T_L23: "Lecture 23", CSE442T_L24: { display: 'hidden' }