In this lecture we begin the construction and analysis of a zero-knowledge protocol for the 3-coloring problem. Via reductions, this extends to a protocol for any problem in NP. We will only be able to establish a weak form of zero knowledge, called “computational zero knowledge” in which the output of the simulator and the interaction in the protocol are computationally indistinguishable (instead of identical). It is considered unlikely that NP-complete problem can have zero-knowledge protocols of the strong type we defined in the previous lectures.
As a first step, we will introduce the notion of a commitment scheme and provide a construction based on any one-way permutation.
1. Commitment Scheme
A commitment scheme is a two-phase protocol between a Sender and a Receiver. The Sender holds a message and, in the first phase, it picks a random key and then “encodes” the message using the key and sends the encoding (a commitment to ) to the Receiver. In the second phase, the Sender sends the key to the Receiver can open the commitment and find out the content of the message .
A commitment scheme should satisfy two security properties:
- Hiding. Receiving a commitment to a message should give no information to the Receiver about ;
- Binding. The Sender cannot “cheat” in the second phase and send a different key that causes the commitment to open to a different message .
It is impossible to satisfy both properties against computationally unbounded adversaries. It is possible, however, to have schemes in which the Hiding property holds against computationally unbounded Receivers and the Binding property holds (under appropriate assumptions on the primitive used in the construction) for bounded-complexity Senders; and it is possible to have schemes in which the Hiding property holds (under assumptions) for bounded-complexity Receivers while the Binding property holds against any Sender. We shall describe a protocol of the second type, based on one-way permutations. The following definition applies to one-round implementations of each phase, although a more general definition could be given in which each phase is allowed to involve multiple interactions.
Definition 1 (Computationally Hiding, Perfectly Binding, Commitment Scheme) A Perfectly Binding and -Hiding Commitment Scheme for messages of length is a pair of algorithms such that
- Correctness. For every message and key ,
- -Hiding. For every two messages , the distributions and are -indistinguishable, where is a random key, that is, for every algorithm of complexity ,
- Perfectly Binding. For every message and every two keys ,
In the following we shall refer to such a scheme as simply a -secure commitment scheme.
Given a one-way permutation and a hard-core predicate , we consider the following construction of a one-bit commitment scheme:
- equals if , and otherwise.
Theorem 2 If is a -secure hard core predicate for , then the above construction is a -secure commitment scheme.
There is a generic way to turn a one-bit commitment scheme into a commitment scheme for messages of length (just concatenate the commitments of each bit of the message, using independent keys).
Theorem 3 Let be a -secure commitment scheme for messages of length such that is computable in time . Then the following scheme is a -secure commitment scheme for message of length :
- equals if at least one of outputs ; otherwise it equals .
There is also a construction based on one-way permutations that is better in terms of key length.
2. A Protocol for 3-Coloring
We assume we have a -secure commitment scheme for messages in the set .
The prover takes in input a 3-coloring graph (we assume that the set of vertices is the set and use the notation ) and a proper 3-coloring of (that is, is such that for every edge we have ). The verifier takes in input . The protocol, in which the prover attempts to convince the verifier that the graph is 3-colorable, proceeds as follows:
- The prover picks a random permutation of the set of colors, and defines the 3-coloring . The prover picks keys for , constructs the commitments and sends to the verifier;
- The verifier picks an edge uniformly at random, and sends to the prover;
- The prover sends back the keys ;
- If and are the same color, or if at least one of them is equal to , then the verifier rejects, otherwise it accepts
Theorem 4 The protocol is complete and it has soundness error at most .
Repeating the protocol times sequentially reduces the soundness error to ; after about repetitions the error is at most about .
We now describe, for every verifier algorithm , a simulator of the interaction between and the prover algorithm.
The basic simulator is as follows:
- Input: graph
- Pick random coloring .
- Pick random keys
- Define the commitments
- Let be the 2nd-round output of given as input and as first-round message
- If , then output FAIL
- Else output
And the procedure simply repeats until it provides an output different from .
It is easy to see that the output distribution of is always different from the actual distribution of interactions between and : in the former, the first round is almost always a commitment to an invalid 3-coloring, in the latter, the first round is always a valid 3-coloring.
We shall prove, however, that the output of and the actual interaction of and have computationally indistinguishable distributions provided that the running time of is bounded and that the security of is strong enough.
For now, we prove that has efficiency comparable to provided that security of is strong enough.
Then the algorithm as defined above has probability at most of outputting .
The proof of Theorem 5 relies on the following result.
Define to be the probability that asks the edge at the second round in an interaction in which the input graph is and the first round is a commitment to the coloring .
Suppose that is -secure, and is computable in time .
Then for every two colorings and every edge we have