Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For...
Transcript of Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For...
![Page 1: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/1.jpg)
Interesting Primitives and Applications Of Cryptography
O.S.L.Bhavana
Advisor: Dr. Bhavana KanukurthiCryptography, Security and Privacy lab
CSA, IISC
July 5, 2017
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 1 / 49
![Page 2: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/2.jpg)
Bit Commitment Schemes
Zero knowledge proofs
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 2 / 49
![Page 3: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/3.jpg)
Coin flipping
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 3 / 49
![Page 4: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/4.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 4 / 49
![Page 5: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/5.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 5 / 49
![Page 6: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/6.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 6 / 49
![Page 7: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/7.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 7 / 49
![Page 8: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/8.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 8 / 49
![Page 9: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/9.jpg)
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 9 / 49
![Page 10: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/10.jpg)
Coin flipping over distance by commitment
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 10 / 49
![Page 11: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/11.jpg)
Coin flipping over distance by commitment
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 11 / 49
![Page 12: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/12.jpg)
Mathematically..
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 12 / 49
![Page 13: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/13.jpg)
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
![Page 14: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/14.jpg)
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.
Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
![Page 15: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/15.jpg)
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
![Page 16: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/16.jpg)
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
![Page 17: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/17.jpg)
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
![Page 18: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/18.jpg)
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
![Page 19: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/19.jpg)
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
![Page 20: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/20.jpg)
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49
![Page 21: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/21.jpg)
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49
![Page 22: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/22.jpg)
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 16 / 49
![Page 23: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/23.jpg)
Building blocksOne way function
A function f : {0, 1}n → {0, 1}∗ is one-way if
Given x, f(x) is efficiently computable.
Pr[Adversary wins in OWF game] is negligible.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49
![Page 24: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/24.jpg)
Building blocksOne way function
A function f : {0, 1}n → {0, 1}∗ is one-way if
Given x, f(x) is efficiently computable.
Pr[Adversary wins in OWF game] is negligible.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49
![Page 25: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/25.jpg)
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
![Page 26: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/26.jpg)
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
![Page 27: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/27.jpg)
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
![Page 28: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/28.jpg)
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
![Page 29: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/29.jpg)
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
![Page 30: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/30.jpg)
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
![Page 31: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/31.jpg)
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
![Page 32: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/32.jpg)
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
![Page 33: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/33.jpg)
Building blocksOne way permutation
f : {0, 1}n → {0, 1}n is a OWP if f is a
Permutation
One way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 20 / 49
![Page 34: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/34.jpg)
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 21 / 49
![Page 35: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/35.jpg)
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 22 / 49
![Page 36: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/36.jpg)
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 23 / 49
![Page 37: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/37.jpg)
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 24 / 49
![Page 38: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/38.jpg)
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 25 / 49
![Page 39: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/39.jpg)
Bit commitments : Summary
Motivation
Building blocks
An explicit construction
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 26 / 49
![Page 40: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/40.jpg)
Zero Knowledge Proofs
Motivation
Properties
ZKP for graph coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49
![Page 41: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/41.jpg)
Zero Knowledge Proofs
Motivation
Properties
ZKP for graph coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49
![Page 42: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/42.jpg)
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 28 / 49
![Page 43: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/43.jpg)
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 29 / 49
![Page 44: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/44.jpg)
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 30 / 49
![Page 45: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/45.jpg)
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 31 / 49
![Page 46: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/46.jpg)
Important application of ZKP
Cloud computation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 32 / 49
![Page 47: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/47.jpg)
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
![Page 48: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/48.jpg)
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statements
Prover’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
![Page 49: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/49.jpg)
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
![Page 50: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/50.jpg)
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
![Page 51: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/51.jpg)
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
![Page 52: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/52.jpg)
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
![Page 53: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/53.jpg)
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 35 / 49
![Page 54: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/54.jpg)
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 36 / 49
![Page 55: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/55.jpg)
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 37 / 49
![Page 56: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/56.jpg)
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 38 / 49
![Page 57: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/57.jpg)
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 39 / 49
![Page 58: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/58.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 59: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/59.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 60: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/60.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 61: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/61.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 62: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/62.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 63: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/63.jpg)
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
![Page 64: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/64.jpg)
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
![Page 65: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/65.jpg)
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
![Page 66: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/66.jpg)
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
![Page 67: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/67.jpg)
Reference
Foundations of Cryptography, Volume 1, Oded Goldreich.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 42 / 49
![Page 68: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/68.jpg)
Thank you
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 43 / 49
![Page 69: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/69.jpg)
ZKP for Graph 3-coloring
G=(V,E) is 3-colorable
Prover Verifier
3-coloringC
(com1, .., comn)
Chooses an edge(u, v) ∈ Euniformly
reveal colors of u, v
coloru , colorv , decu , decv
If Decommit(coloru , comu , decu) = 1
and Decommit(colorv , comv , decv ) = 1
Accept that G is 3-colorable Else reject
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 44 / 49
![Page 70: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/70.jpg)
Building blocksComputational hardness
Why bother about Computational adversary?
Theorem
IT secure schemes are costly
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 45 / 49
![Page 71: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/71.jpg)
construction from OWP
Sender Receiver Hiding holds as hcp(y) is unpredictable. Binding holdsas f is a OWP. Decommit(com, dec){Parse com as (a, b)Parse dec as yIf a == f (y)Output b ⊕ hcp(y)Else Output ⊥}
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 46 / 49
![Page 72: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/72.jpg)
Coin flipping over distance
I can count the number of leaves.Let me test.Tosses a coin.Plucks a leaf if heads.Please count the leaves now.Prob[cheating wizard fails] = 1
2 Alice makes her callLocks her call in a boxsends this box to Bob without keyBob tosses a coinBob reveals the toss resultAlice reveals her call and sends the box keyBob opens the box and crosschecks Alice’s callWinner is declared according to the toss result
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 47 / 49
![Page 73: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/73.jpg)
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
![Page 74: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/74.jpg)
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
![Page 75: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/75.jpg)
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
![Page 76: Interesting Primitives and Applications Of Cryptographycrysp/files/csass_bhavana_slides.pdf · For a graph G that is 3-colorable, the witness is the color assignment. Graph 3-Coloring](https://reader030.fdocuments.us/reader030/viewer/2022041220/5e0916ea12bf2662c23071dd/html5/thumbnails/76.jpg)
Coin flipping over distance
Alice Bob
Makes her call x
(dec , com) = Commit(x)
com
coin toss results in b
b
x , dec
If Decommit(com, dec) = 1,
Announce winner
else STOPO.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 49 / 49