# Lecture 3: Zero knowledge proof systems

### Zero-Knowledge, Definition

An interactove proof system for a language L is a pair of interactive Turing machines (P,V), such that at the end of the interaction V outputs either 0 (reject) of 1 (accept).

(P,V) has compleness error c and soundness error s if

1. For any x in L, the probability that P(x) makes V(x) accept is at least 1-c
2. For any x not in L, and for any (possibly cheating) prover P', the probability that V(x) accept when interacting with P' is at most s.

If the gap ((1-c) - s) between the two error probabilities is bounded away from 0 (i.e., gap > 1/poly(|x|)), then using standard repetition techniques it is possible to transform (P,V) into a proof system with both c and s negligible in the size of the input string |x| (or a security parameter).

Typically, the verifier V is assumed to be probabilistic polynomial time. In most applications, when L is in NP, also the prover is polynomial time, provided it is given as auxiliary input an NP-witness that x belongs to L.

Simple interactive proof system for NP: on input (x,y), the prover P sends y to V. On input x, and after receiving y from the prover, V accepts if and only if y is an NP-witness for x.

An interactive proof system (P,V) is honest verifier (perfect/statistical/computational) zero knowledge (HVZK) if there is a probabilistic polynomial time simulator S such that for any x in L,the output of S(x) is identically distributed/statistically close/computationally indistinguishable from V's view of the interaction between P and V on input x. By "view of the interaction", we mean the random coins of V and the set of messages received from P.

An interactive proof system is (general) zero-knowledge if for any (possibly cheating) verifier V', there is a simulator S such that for any x in L,the output of S(x) is identically distributed/statistically close/computationally indistinguishable from V's view of the interaction between P and V on input x. An important special case is that of black-box zero-knowledge, where the simulator S is an oracle machine which is given access to the cheating verifier.

### ZK proof for Hamiltonian path

We describe an (black-box, computational zero-knowledge) interactive proof system for hamiltonian path:

• The input x is a graph G = (N,E).
• The prover also knows a Hamiltonian path HP. The prover selects a random permutation Perm(N), and for every (i,j), sends a commitment to b(i,j), where b(i,j)=1 if (Perm(i),Perm(j)) is in E, and b(i,j) = 0 otherwise.
• Then the verifier selects a binary challenge c = 0/1 and sends it to the prover.
• If c = 0, then the prover opens all the commitments, and reveals Perm to show that the commitment graph is isomorphic to G.
• If c = 1, then the prover opens the commitments (i,j) such that (Perm(i),Perm(j)) is in HP.
• In both cases the verifier checks that the last message from the prover is consistent. (In the first case, it checks that the committed graph is isomorphic to G, and in the second case it checks that the committed graph contains a Hamiltonian path as disclosed by the prover.)

We proved that the commitment scheme is perfectly binding, then (P,V) is a computational zero knowledge proof system with perfect completeness (c = 0), and soundness error s = 1/2. Notice that the proof system is only computational zero knowledge. In fact, perfect ZK proofs for NP-hard problems are unlikely to exists.

Zero-knowledge proof systems with arbitrarily small soundness error can be easily obtained by sequential repetition. In order to preserve zero-knowledge under sequential composition, the definition needs to be augmented with an "auxiliary input". This is not necessary for the special case of black-box simulations.

### ZK proofs for NP

A zero-knowledge proof system can be derived from the one above for every language in NP, by the NP-completeness of Hamiltonian Path.

1. Let L be an NP language, and let f be a Karp reduction from L to H.
2. On input x, both P and V apply f to x, to obtain an instance of H.
3. Finally, the prover proves in zero knowledge that f(x) belongs to H.

### References

An excellent reference for the material presented in this lecture is

Oded Goldreich, Foundations of Cryptography, vol. 1 (Basic tools), Cambridge Univ. Press., 2001
(Fragments of a preliminary version of the book are available here.)

Specific sections of the book related to the material presented today in class are Section 4.1 (Introduction), Section 4.2 (Interactive proof systems), Section 4.3 (Definition of ZK), Section 4.4 (ZK proof for NP).