Scribed by Madhur Tulsiani
Summary
In this lecture we begin the construction and analysis of a zero-knowledge protocol for the 3-coloring problem. Via reductions, this extends to a protocol for any problem in NP. We will only be able to establish a weak form of zero knowledge, called “computational zero knowledge” in which the output of the simulator and the interaction in the protocol are computationally indistinguishable (instead of identical). It is considered unlikely that NP-complete problem can have zero-knowledge protocols of the strong type we defined in the previous lectures.
As a first step, we will introduce the notion of a commitment scheme and provide a construction based on any one-way permutation.
1. Commitment Scheme
A commitment scheme is a two-phase protocol between a Sender and a Receiver. The Sender holds a message and, in the first phase, it picks a random key and then “encodes” the message using the key and sends the encoding (a commitment to ) to the Receiver. In the second phase, the Sender sends the key to the Receiver can open the commitment and find out the content of the message .
A commitment scheme should satisfy two security properties:
- Hiding. Receiving a commitment to a message should give no information to the Receiver about ;
- Binding. The Sender cannot “cheat” in the second phase and send a different key that causes the commitment to open to a different message .
It is impossible to satisfy both properties against computationally unbounded adversaries. It is possible, however, to have schemes in which the Hiding property holds against computationally unbounded Receivers and the Binding property holds (under appropriate assumptions on the primitive used in the construction) for bounded-complexity Senders; and it is possible to have schemes in which the Hiding property holds (under assumptions) for bounded-complexity Receivers while the Binding property holds against any Sender. We shall describe a protocol of the second type, based on one-way permutations. The following definition applies to one-round implementations of each phase, although a more general definition could be given in which each phase is allowed to involve multiple interactions.
Definition 1 (Computationally Hiding, Perfectly Binding, Commitment Scheme) A Perfectly Binding and -Hiding Commitment Scheme for messages of length is a pair of algorithms such that
- Correctness. For every message and key ,
- -Hiding. For every two messages , the distributions and are -indistinguishable, where is a random key, that is, for every algorithm of complexity ,
- Perfectly Binding. For every message and every two keys ,
In the following we shall refer to such a scheme as simply a -secure commitment scheme.
Given a one-way permutation and a hard-core predicate , we consider the following construction of a one-bit commitment scheme:
- equals if , and otherwise.
Theorem 2 If is a -secure hard core predicate for , then the above construction is a -secure commitment scheme.
Proof: The binding property of the commitment scheme is easy to argue as the commitment is a permutation of the key and the message. In particular, given , we can find the unique and that generate it as
To prove the hiding property in the contrapositive, we want to take an algorithm which distinguishes the commitments of two messages and convert it to an algorithm which computes the predicate with probability better than . Let be such an algorithm which distinguishes two different messages (one of which must be 0 and the other must be 1). Then, we have that for
Assume without loss of generality that the quantity in the absolute value is positive i.e.
Hence, outputs 1 significantly more often when given the correct value of . As seen in previous lectures, we can convert this into an algorithm that predicts the value of . Algorithm takes as input and generates a random bit as a guess for . It then runs . Since is correct more often on the correct value of , outputs if and outputs otherwise. We can analyze its success probability as below
Thus, predicts with probability and has complexity only more than (for generating the random bit) which contradicts the fact that is -secure.
There is a generic way to turn a one-bit commitment scheme into a commitment scheme for messages of length (just concatenate the commitments of each bit of the message, using independent keys).
Theorem 3 Let be a -secure commitment scheme for messages of length such that is computable in time . Then the following scheme is a -secure commitment scheme for message of length :
- equals if at least one of outputs ; otherwise it equals .
Proof: The commitment to is easily seen to be binding since the commitments to each bit of are binding. The soundness can be proven by a hybrid argument.
Suppose there is an algorithm distinguishing and with probability more than . We then consider “hybrid messages” , where . By a hybrid argument, there is some such that
But since and differ in only one bit, we can get an algorithm that breaks the hiding property of the one bit commitment scheme . , given a commitment , outputs
Hence, has complexity at most and distinguishes from .
There is also a construction based on one-way permutations that is better in terms of key length.
2. A Protocol for 3-Coloring
We assume we have a -secure commitment scheme for messages in the set .
The prover takes in input a 3-coloring graph (we assume that the set of vertices is the set and use the notation ) and a proper 3-coloring of (that is, is such that for every edge we have ). The verifier takes in input . The protocol, in which the prover attempts to convince the verifier that the graph is 3-colorable, proceeds as follows:
- The prover picks a random permutation of the set of colors, and defines the 3-coloring . The prover picks keys for , constructs the commitments and sends to the verifier;
- The verifier picks an edge uniformly at random, and sends to the prover;
- The prover sends back the keys ;
- If and are the same color, or if at least one of them is equal to , then the verifier rejects, otherwise it accepts
Theorem 4 The protocol is complete and it has soundness error at most .
Proof: The protocol is easily seen to be complete, since if the prover sends a valid 3-coloring, the colors on endpoints of every edge will be different.
To prove the soundness, we first note that if any commitment sent by the prover opens to an invalid color, then the protocol will fail with probability at least when querying an edge adjacent to the corresponding vertex (assuming the graph has no isolated vertices – which can be rivially removed). If all commitments open to valid colos, then the commitments define a 3-coloring of the graph. If the graph is not 3-colorable, then there must be at least one edge both of whose end points receive the same color. Then the probability of the verifier rejecting is at least the probability of choosing , which is .
Repeating the protocol times sequentially reduces the soundness error to ; after about repetitions the error is at most about .
3. Simulability
We now describe, for every verifier algorithm , a simulator of the interaction between and the prover algorithm.
The basic simulator is as follows:
Algorithm
- Input: graph
- Pick random coloring .
- Pick random keys
- Define the commitments
- Let be the 2nd-round output of given as input and as first-round message
- If , then output FAIL
- Else output
And the procedure simply repeats until it provides an output different from .
It is easy to see that the output distribution of is always different from the actual distribution of interactions between and : in the former, the first round is almost always a commitment to an invalid 3-coloring, in the latter, the first round is always a valid 3-coloring.
We shall prove, however, that the output of and the actual interaction of and have computationally indistinguishable distributions provided that the running time of is bounded and that the security of is strong enough.
For now, we prove that has efficiency comparable to provided that security of is strong enough.
Theorem 5 Suppose that is -secure and is computable in time and that is a verifier algorithm of complexity .
Then the algorithm as defined above has probability at most of outputting .
The proof of Theorem 5 relies on the following result.
Lemma 6 Fix a graph and a verifier algorithm of complexity .
Define to be the probability that asks the edge at the second round in an interaction in which the input graph is and the first round is a commitment to the coloring .
Suppose that is -secure, and is computable in time .
Then for every two colorings and every edge we have
Proof: If and differ by more than for any edge , then we can define an algorithm which distinguishes the commitments corresponding to from the commitments corresponding to . simply runs the verifier given commitments for colors and outputs 1 if the verifier selects the edge in the second round.
Then, by assumption, -distinguishes the commitments corresponding to from the commitments corresponding to in time . However, by Theorem 3, this means that is not -secure which is a contradiction.
Given the lemma, we can now easily prove the theorem.
Proof: (of Theorem 5) The probability that outputs is given by
Let denote the coloring which assigns the color 1 to every vertex. Then using Lemma 6 we bound the above as
where in the second step we used the fact that for a fraction of all the colorings and the last step used that the probability of selecting some edge given the coloring is 1.