-
Notifications
You must be signed in to change notification settings - Fork 13
/
lec18-F24.tex
233 lines (163 loc) · 30.7 KB
/
lec18-F24.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
\chapter{Proving Computation Integrity}
\section{Zero-Knowledge Proofs}
Traditional Euclidean style proofs allow us to prove veracity of statements to others. However, such proof systems have two shortcomings: (1) the running time of the verifier needs to grow with the length of the proof, and (2) the proof itself needs to be disclosed to the verifier. In this chapter, we will provide methods enabling provers to prove veracity of statements of their choice to verifiers while avoiding the aforementioned limitations. In realizing such methods we will allow the prover and verifier to be probabilistic and also allow them to interact with each other.\footnote{Formally, they can be modeled as interactive PPT Turing Machines.}
\section{Interactive Proofs}
\begin{definition} {\normalfont\textbf{(Interactive Proof System)}} For a language L we have an \textit{interactive proof system} if $\exists$ a pair of algorithms (or better, interacting machines) $(\mathcal{P},\mathcal{V})$, where $\mathcal{V}$ runs in polynomial time in its input length, and both can flip coins, such that:
\begin{itemize}
\item Completeness: $\forall x\in L$
$$\Pr_{\mathcal{P},\mathcal{V}} \left[Output_{\mathcal{V}}(\mathcal{P}(x) \leftrightarrow \mathcal{V}(x))=1\right]=1,$$
\item Soundness: $\forall x\notin L$, $\forall \mathcal{P}^*$ (unbounded)
$$\Pr_{\mathcal{V}} \left[Output_{\mathcal{V}}(\mathcal{P}^*(x) \leftrightarrow \mathcal{V}(x))=1\right]<\mathsf{negl}(|x|),$$
\end{itemize} where $Output_{\mathcal{V}}(\mathcal{P}(x) \leftrightarrow \mathcal{V}(x))$ denotes the output of $\mathcal{V}$ in the interaction between $\mathcal{P}$ and $\mathcal{V}$ where both parties get $x$ as input.
We stress that $\mathcal{P}$ and $\mathcal{P}^*$ can be computationally unbounded.
\end{definition}
We can also consider other variants of this definition, e.g. imperfect completeness.
To understand the above definition, let's consider two languages over a pair of graphs $G_0$ and $G_1$:
\begin{enumerate}
\item Graph Isomorphism (GI): We say that two graphs $G_0$ and $G_1$ are isomorphic, denoted $G_0 \cong G_1$, if $\exists$ an isomorphism $f: V(G_0) \rightarrow V(G_1)$ s.t. $(u,v)\in E(G_0)$ iff $(f(u),f(v))\in E(G_1)$, where $V(G)$ and $E(G)$ are the vertex and edge sets of some graph $G$. Let $GI=\lbrace(G_0,G_1)|\ G_0\cong G_1\rbrace$ be the language that consists of pairs of graphs that are isomorphic.
\item Graph Non-Isomorphism (GNI): On the other hand, $G_0$ and $G_1$ are said to be non-isomorphic, $G_0 \ncong G_1$, if $\nexists$ any such $f$, and let $GNI=\lbrace(G_0,G_1)|\ G_0\ncong G_1\rbrace$ be the language that consists of pairs of graphs that are not isomorphic.
\end{enumerate}
\paragraph{Trivial Case of Graph Isomorphism (GI).} A prover can easily prove to a verifier that two graphs are isomorphic by directly providing the isomorphism $f$ between them. The verifier can confirm the isomorphism in time polynomial in the size of the graphs (i.e., its input); hence we have perfect completeness. If the graphs are not isomorphic, no isomorphism exists, and the verifier always rejects; we have perfect soundness too. This proof was trivial, and we didn't even require (back-and-forth) interaction. We now look at a more interesting case of GNI. Moreover, looking ahead, we will see more interesting properties that we can ask of proof systems, like zero-knowledge, where this trivial proof system terribly fails, and we will revisit the GI problem to see how we can prove it with zero-knowledge.
\paragraph{Interactive Proof for Graph Non-Isomorphism (GNI).} Unlike the case of GI, for GNI, there is no succinct (e.g., linear in the size of graphs) information that the prover can provide, and consequently, no ``efficient'' (polynomial time in the graphs) verification that the verifier can do. This is where the {\em power of interaction} comes in. In other words, since GNI is not believed to have short proofs, an {\em interactive} proof could offer the prover a mechanism to prove to a polynomially bounded verifier that two graphs are non-isomorphic. We will now describe an interactive proof system for GNI.
The intuition is simple. Consider a verifier that randomly renames the vertices of one of the graphs and give it to the prover. Can the prover, given the relabeled graph, figure out which graph did the verifier start with? If $G_0$ and $G_1$ were not isomorphic, then an unbounded-time prover can figure this out. However, in case $G_0$ and $G_1$ {are} isomorphic, then the distributions resulting form random relabelings of $G_0$ and $G_1$ are actually identical. Therefore, even an unbounded prover has no way of distinguishing which graph the verifier started with. So the prover has only a $\frac12$ probability of guessing which graph the verifier started with. Note that by repeating this process we can reduce the success probability of a cheating prover to negligible\footnote{This strategy is called soundness amplification by ``sequential'' repetition. Later, we might cover proof systems where we additionally consider ``parallel'' repetition to achieve different security properties.}. More formally, given a claim $(G_0,G_1)\in GNI$, we define the following interactive proof system:
% If they consistently answer correctly, however, it would be hard to remain skeptical against $G_0 \ncong G_1$ as they beat the odds to almost impossible limits. And so this interaction can ``prove" very strongly to the verifier that $(G_0,G_1)\in$ GNI. Consider the protocol we can define from this:
\begin{center}
\includegraphics[scale=.51094]{Old Scribe Notes/GNI_IP_Protocol.png}
\end{center}
\begin{itemize}
\item Completeness: If $(G_0,G_1)\in$ GNI, then the unbounded $\mathcal{P}$ can distinguish isomorphism of $G_0$ against those of $G_1$ and can always return the correct $b'$. Thus, $\mathcal{V}$ will always output 1 for this case.
\item Soundness: If $(G_0,G_1)\notin$ GNI, then it is equiprobable that $H$ is a random isomorphism of $G_0$ as it is of $G_1$, and so $\mathcal{P}$'s guess for $b'$ can be correct only with a probability $\frac{1}{2}$\footnote{A curious reader might notice that the challenge bit $b$ sampled by $\mathcal{V}$ is information-theoretically hidden from $\mathcal{P}$ (hidden in $H$) when $\mathcal{P}$'s claim is false. This is similar to what we saw in Hash Proof Systems before.}. Repeating this protocol $k$ times, with fresh verifier randomness each time, means the probability of guessing the correct $b'$ for all $k$ interactions is $\frac{1}{2^k}$. And so the probability of $\mathcal{V}$ outputting $0$ (e.g. rejecting $\mathcal{P}$'s proof at the first sign of falter) is $1-\frac{1}{2^k}$.
\end{itemize}
%The interaction between prover and verifier captures the notion of a proof system for GNI, a problem previously not known to have an efficient method of proof. By interacting, we can prove what seemed impossible to efficiently prove before!
To conclude, the interactive proof system we described above enabled something that wasn't possible without interaction.
\section{Zero Knowledge Proofs}
We saw a crucial difference between GI and GNI: in GI, the prover already holds a succinct proof to back its claim, we call this a ``witness'', while in GNI, no such succinct proof exists (i.e., there is nothing that the prover can directly send to the verifier to back its claim). From this point onwards, we exclusively focus on the languages of the first kind, i.e., where a witness for the claim exists; these languages cover a vast majority of the use-cases of verifiable computation, and are formalized as follows:
\begin{definition} {\normalfont\textbf{(NP-Verifier)}} A language L has an NP-verifier if $\exists$ a verifier $\mathcal{V}$ that is polynomial time in $|x|$ such that:
\begin{itemize}
\item Completeness: $\forall x\in L,\ \exists\ a\ proof\ \pi\ s.t.\ \mathcal{V}(x,\pi)=1$
\item Soundness: $\forall x \notin L$, and $\forall$ purported proof $\pi$, we have $\mathcal{V}(x,\pi)=0$
\end{itemize}
\end{definition}
That is, the conventional idea of a proof is formalized in terms of what a computer can efficiently verify.\smallskip %A language $L$ has an NP-verifier if for all claims of statements $\in L$, a proof can be written down that can be ``easily'' and ``rigorously'' verified if and only if a statement is in the language.
\noindent \textit{Keeping the witness private}. The goal of a proof system is for the verifier to learn if the prover's claim is valid or not. Let's focus on what a verifier actually learns at the end of its interaction with the prover. In the trivial GI proof system we saw above, the verifier learns the entire isomorphism --- in other words, the verifier learns {\em everything} that the prover knew.
This is too much leakage. Imagine the prover holding some secret or valuable information (e.g., its secret key) which is leaked to the verifier. This is not desirable. We want the verifier to learn only the validity of the claim, and nothing more. This is where the notion of zero-knowledge comes in.
For a proof system for a language with an NP-verifier, this translates to the verifier not learning the witness from the prover.
We now revisit the GI problem\footnote{GI is not NP-complete.} for which an NP-verifier exists, as we saw earlier. Later, we will consider NP-complete languages like graph 3-coloring --- giving us proof systems for all of NP. \smallskip
\noindent \textit{Hiding witness for Graph Isomorphism}. We will build the ideas for our proof system with zero-knowledge gradually by iterating through a series of straw-man approaches. On the way, we will formally define zero knowledge.
When $G_0$ and $G_1$ are isomorphic, the isomorphism between them would be a \textit{witness}, $w$, to that fact, that can be used in the proof. The prover doesn't want to reveal the isomorphism, $w:V(G_0)\rightarrow V(G_1)$, that they claim to have. The prover is comfortable however giving us a ``scrambled'' version, $\phi$, of $w$ as long as it doesn't leak any information about their precious $w$. For example, the prover is willing to divulge $\phi = \pi \circ w$ where $\pi$ is a privately chosen random permutation of $|V|=|V(G_0)|=|V(G_1)|$ vertices. Since $\pi$ renames vertices completely randomly, it scrambles what $w$ is doing entirely and $\phi$ is just a random permutation of $|V|$ elements. At this point, we might be a little annoyed at the prover since we could have just created a random permutation on our own. Let's look at why this is still a good starting point.
If we want to be convinced that $\phi$ really is of the form $\pi \circ w$, thus containing $w$ in its definition, and isn't just a completely random permuation, we can note that if it is of that form then $\phi(G_0)=\pi(w(G_0))=\pi(G_1)$ (since $w$ being an isomorphism implies that $w(G_0)=G_1$). Note that we started with a mapping on input $G_0$ and ended with a mapping on input $G_1$. With an isormphism, one could get from one graph to the other seamlessly; if the prover \textit{really} has the isomorphism it claims to have, then it should have no problem displaying this ability. So, what if we force the prover to give us $H=\pi (G_1)$ just after randomly choosing its $\pi$ and then let it show us its ability to go from $G_1$ to $G_0$ with ease: give us a $\phi$ so that $\phi(G_0)=\pi(G_1)=H$. The only way the prover can give a mapping that jumps from $G_0$ to $G_1$ is if they know an isomorphism; in fact, if the prover could find a $\phi$ efficiently but did \textit{not} know an isomorphism then they would have been able to see that $\pi^{-1}(\phi(G_0))=G_1$ and thus have $\pi^{-1}\circ\phi$ as an isomorphism from $G_0$ to $G_1$, which would contradict the assumed hardness of finding isomorphisms in the GI problem. So by forcing the prover to give us $H$, as we've defined, and to produce a $\phi$ so that $\phi(G_0)=H$, we've found a way to expose provers that don't really have an isomorphism and we can then be convinced that they really do know $w$ when they pass our test. Importantly, the prover didn't directly tell us $w$, so we are headed in the right direction.
But not everything is airtight about this interaction. Why, for instance, would the prover be willing to provide $H=\pi(G_1)$ when they're trying to divulge as little information as possible? The prover was comfortable giving us $\phi$ since we could have just simulated the process of getting a completely random permutation of vertices ourselves, but couldn't the additional information of $H$ reveal information about $w$? At this point, if we look closely, we realize that $H=\pi(G_1)=\pi'(G_0)$, for some $\pi'$, is just a random isomorphic copy of $G_0$ \textit{and} $G_1$ as long as $G_0 \cong G_1$; we could have just chosen a random $\pi'$, set $H=\pi'(G_0)$, and let $\phi=\pi'$ and would have created our very own random isomorphic copy, $H$, of $G_1$ that satisfies our test condition $H=\phi(G_0)$, just like what we got from our interaction with the prover. To our annoyance, the prover can easily fool this test. Indeed, the test has a hole in it: how can we force the prover to give us $H=\pi(G_1)$ like we asked? If the prover is lying and it knows our test condition is to verify that $H=\phi(G_0)$, the prover might just cheat and give us $H=\pi(G_0)$ so it doesn't have to use knowledge of $w$ to switch from $G_1$ to $G_0$. And, in fact, by doing this and sending $\phi=\pi$, the prover would fool us!
To keep the prover on their toes, though, we can randomly switch whether we want $H$ to equal $\phi(G_0)$ or $\phi(G_1)$. In our interaction, the prover must first provide $H=\pi(G_1)$ before we let them know which we want. By sending $H$, the prover locks itself into a commitment to either $G_0$ or $G_1$ if it is cheating, but if not, then it can easily move between the two graphs. A prover only has a $50\%$ chance of committing to the same case we want on a given round and so, if they don't have $w$ to deftly switch between $G_0$ and $G_1$ to always answer correctly, they again have to be an extremely lucky guesser if they're trying to lie.
Therefore, we've created an interactive scheme that can catch dishonest provers with probability 1-$\frac{1}{2^k}$ and where we always believe honest provers!
\begin{center}
\includegraphics[scale=.51094]{Old Scribe Notes/GI_ZK_Protocol.png}
\end{center}
\begin{itemize}
\item Completeness: If $(G_0,G_1)\in GI$ and $\mathcal{P}$ knows $w$, then whether $\mathcal{V}$ chooses $b=0$ or 1, $\mathcal{P}$ can always give the correct $\phi$ which, by definition, will always result in $H=\phi(G_b)$ and so $\mathcal{V}$ will always output 1.
\item Soundness: If $(G_0,G_1)\notin GI$, then $\mathcal{P}$ can only cheat, as discussed earlier, if the original $H$ it commits to ends up being $\pi(G_b)$ for the $b$ that is randomly chosen at the next step. Since $b$ isn't even chosen yet, this can only happen by chance with probability $\frac{1}{2}$. And so the probability $\mathcal{V}$ outputs $0$ is $1-\frac{1}{2^k}$ for $k$ rounds.
\end{itemize}
We have just shown that what we have so far is an interactive proof system. We now think of how the notion of zero-knowledge can be formalized here.
As a verifier, we've seen some things in interacting with the prover. Surely, clever folks like ourselves must be able to glean \textit{some} information about $w$ after seeing enough to thoroughly convince us that the prover knows $w$. We've first seen $H$, and we've also seen the random $b$ that we chose, along with $\phi$ at the end; this is our whole view of information during the interaction. But we're more bewildered than annoyed this time when we realize we could have always just chosen $b$ and $\phi$ randomly and set $H=\phi(G_b)$ on our own. Again, everything checks out when $G_0 \cong G_1$ and we could have produced everything that we saw during the interaction before it even began. That is, the distribution of the random variable triple ($H$, $b$, $\phi$) is identical whether it is what we saw from the prover during the interaction or it is yielded from the solitary process we just described. We've just constructed a complete interactive proof system that entirely convinces us of the prover's knowledge of $w$, yet we could have simulated the whole experience on our own! We couldn't have gained any knowledge about $w$ since we didn't see anything we couldn't have manufactured on our own, yet we are entirely convinced that $(G_0,G_1)\in$ GI and that $\mathcal{P}$ knows $w$! And so the prover has proven something to us yet has given us absolutely zero additional knowledge!
This may feel very surprising or as if you've been swindled by a fast talker, and it very much should feel this way; it was certainly an amazing research discovery! But this is true, and it can be made rigorous, as we do next.
We should first be sure what we want out of this new proof system. We of course want it to be complete and sound so that we accept proofs iff they're true. But we also want the verifier to gain zero knowledge from the interaction; that is, the verifier should have been able to simulate the whole experience on its own without the verifier.
Finally, we would also like all witnesses to a true statement to each be sufficient to prove the veracity of that statement and so we let $R$ be the relation s.t. $x \in L$ iff $\exists$ a witness $w$ s.t. $(x,w)\in R$. We can then gather all witness by defining $R(x)$ to be the set of all such witnesses. We will first look at a weaker notion of zero-knowledge, called \textit{Honest Verifier Zero Knowledge} (HVZK), where we only require that an {\em honest} verifier (follows the protocol steps) does not learn anything from the prover. We will then move on to the stronger notion of \textit{Zero Knowledge} (ZK), where we extend this to all verifiers, including malicious verifiers.
\begin{definition} {\normalfont\textbf{(Honest Verifier Zero Knowledge Proof [HVZK])}}
$(\mathcal{P},\mathcal{V})$ is a (perfect) HVZK proof system for a language $L$ w.r.t. witness relation $R$ if
$\exists$ a PPT machine $\mathcal{S}$ (called the simulator) s.t. $\forall x \in L$, $\forall w\in R(x)$, the following distributions are (identical) indistinguishable:
$$\{View_{\mathcal{V}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V}(x))\} \approx \{\mathcal{S}(x)\}$$
where $View_{\mathcal{V}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V}(x))$ is the random coins of $\mathcal{V}$ and all the messages $\mathcal{V}$ saw.
\end{definition}
\begin{remark}
In the above definition, $View_{\mathcal{V}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V}(x))$ contains both the random coins of $\mathcal{V}$ and all the messages that $\mathcal{V}$ saw, because they together constitute the view of $\mathcal{V}$, and they are correlated. If the random coins of $\mathcal{V}$ are not included in the definition of $View_{\mathcal{V}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V}(x))$, then even if $\mathcal{S}$ can generate all messages that $\mathcal{V}$ saw with the same distribution as in the real execution, the verifier may still be able to distinguish the two views using its random coins.
\end{remark}
\begin{remark}
In the above definition, the order of quantifiers is quite important. We cannot change it to: $\forall x \in L$, $\forall w\in R(x)$, $\exists$ a PPT machine $\mathcal{S}$. This is because the definition would be trivially satisfied by hardcoding the witness $w$ in the simulator $\mathcal{S}$.
\end{remark}
To prove HVZK property of the GI proof system we described earlier, we now construct a simulator $\mathcal{S}$, with input $G_0, G_1$, as follows:
\begin{enumerate}
\item Sample $b\in\{0,1\}$ uniformly at random.
\item Sample a random permutation $\sigma$ of the vertices.
\item Set $H \gets \sigma(G_b)$.
\item Output $(H, b, \sigma)$.
\end{enumerate}
It is straightforward to see that this simulator produces the same distribution as the real interaction between the prover and the verifier. This is because $H = \sigma(G_b) = \sigma'(G_{1-b})$, i.e., $H$ is a random permutation of both $G_0$ amd $G_1$.
To recap: There is an interesting progression of the requirements of a proof system: Completeness, Soundness, and the Zero Knowledge property. Completeness first cares that a prover-verifier pair exist and can capture all true things as a team that works together; they both honestly obey the protocol trying prove true statements. Soundness, however, assumes that the prover is a liar and cares about having a strong enough verifier that can stand up to any type of prover and not be misled. Finally, Zero Knowledge assumes that the verifier is hoping to glean information from the proof to learn the prover's secrets and this requirement makes sure the prover is clever enough that it gives no information away in its proof. Unlike the soundness' requirement for a verifier to combat \textit{all} malicious provers, HVZK is only concerned with the verifier in the original prover-verifier pair that follows the set protocol. Verifiers that stray from the protocol or cheat, however, are captured in the natural generalization to Zero Knowledge proofs.
\section{Zero-Knowledge for Graph Isomorphism}
In this section, we construct our final zero-knowledge interactive proof system for GI where we don't have to assume an honest verifier for zero knowledge to hold. The proof system construction is exactly the same as the one we saw earlier. What changes is the definition of zero knowledge, and therefore, the simulator.
\begin{definition} {\normalfont\textbf{(Zero Knowledge Proof [ZK])}}
$(\mathcal{P},\mathcal{V})$ is a (perfect) ZK proof system for a language $L$ w.r.t. witness relation $R$ if $\forall$ PPT machines $\mathcal{V}^*$,
$\exists$ a PPT machine $\mathcal{S}$ (called the simulator) s.t. $\forall x \in L$, $\forall w\in R(x)$, the following distributions are (identical) indistinguishable:
$$\{View_{\mathcal{V^*}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V^*}(x))\} \approx \{\mathcal{S}(x)\}$$
where $View_{\mathcal{V^*}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V^*}(x))$ is the random coins of $\mathcal{V^*}$ and all the messages $\mathcal{V^*}$ saw.
\end{definition}
\begin{remark}
Note that the order of quantifiers matters again. The definition would be stronger if we switch the order to: $\exists$ a PPT machine $\mathcal{S}$ (called the simulator) s.t. $\forall$ PPT machines $\mathcal{V}^*$. This is because the same simulator would need to work for all possible efficient verifiers. Interestingly, the simulator we construct below for GI satisfies this stronger definition too. In fact, most simulators we know work for all verifiers (i.e. black-box simulators). It wasn't until 2008 that Boaz Barak showed that we can also construct non-black-box simulators.
\end{remark}
Recall our protocol for graph isomorphism: the interaction is $P(x,w) \leftrightarrow V(x)$ where $x$ represents graphs $G_0 = (V, E_0)$ and $G_1 = (V, E_1)$ and $w$ represents a permutation on $V$ such that $w (G_0) = G_1$.
\begin{enumerate}
\item $\mathcal{P}$ samples a random permutation $\sigma: V \to V$ and sends the graph $H = \sigma(G_1)$ to $V$.
\item $\mathcal{V}$ samples a random bit $b$ and sends it to $\mathcal{P}$.
\item If $b = 1$, then $\mathcal{P}$ defines a permutation $\tau$ to be $\sigma$. If $b = 0$, then instead $\tau = \sigma \circ w$. $\mathcal{P}$ then sends $\tau$ to $V$.
\item $\mathcal{V}$ verifies that $\tau(G_b) = H$ and accepts if so.
\end{enumerate}
The reason the simulator for HVZK doesn't work anymore is because a malicious verifier $\mathcal{V^*}$ could pick its bit $b$ from a biased distribution (e.g. $b$ can be a function of $H$ seen by $\mathcal{V^*}$).
For zero knowledge, consider the following simulator\footnote{The simulator satisfies a stronger ZK property where the same simulator works for all $\mathcal{V^*}$. Refer to the remark above for more details.} $S$ with input $G_0$ and $G_1$ (with vertex set $V$) and verifier $V^*$:
\begin{enumerate}
\item For $i = 1\dots T$; $T=\mathsf{poly}(n)$:
\begin{enumerate}
\item Sample a bit $b$ uniformly at random.
\item Sample a permutation $\sigma: V \to V$ uniformly at random
\item Send $H = \sigma (G_b)$ to $\mathcal{V^*}$.
\item Receive $b'$ from $\mathcal{V^*}$.
\item If $b=b'$, then output $(H, b, \sigma)$ and terminate. Otherwise, continue the loop.
\end{enumerate}
\item Output $\bot$.
\end{enumerate}
We construct a sequence of hybrids to prove zero-knowledge. Let $H_0$ define the interaction between $\mathcal{P}$ and $\mathcal{V^*}$: $\mathcal{P}(x=(G_0, G_1), w)\leftrightarrow \mathcal{V^*}(x)$. Define $H_1$ as follows:
\begin{enumerate}
\item For $i = 1\dots T$:
\begin{enumerate}
\item Sample a bit $b^*$ uniformly at random.
\item Run $H_0$, i.e., $\mathcal{P}(x=(G_0, G_1), w)\leftrightarrow \mathcal{V^*}(x)$.
\item If $b^*=0$, output $View_{\mathcal{V^*}}(\mathcal{P}(x,w) \leftrightarrow \mathcal{V^*}(x))$.
\item If $b^*=1$, continue with the loop.
\end{enumerate}
\item Output $\bot$.
\end{enumerate}
The hybrid $H_1$ produces identical distribution as $H_0$ except if $b^*$ in all the $T$ iterations is $0$; note that $\mathcal{P}(x=(G_0, G_1), w)\leftrightarrow \mathcal{V^*}(x)$ doesn't depend on $b^*$. This happens with probability at most $1/2^T$. Next, we define $H_2$ where we change the logic of which transcript is thrown away. In each iteration, if $b^* = b$, where $b$ is part of the transcript $\mathcal{P}(x=(G_0, G_1), w)\leftrightarrow \mathcal{V^*}(x)$, we output the transcript; otherwise, we continue with the loop. Note again that $b^*$ is still not used in any of the transcript (interaction). Therefore, distribution produced by $H_2$ is identical to $H_1$ because the interaction hasn't changed at all. Finally, we construct our last hybrid $H_3$ where the simulator $S$ is run. The distribution generated by $H_3$ is identical to $H_2$ by same argument we used for the HVZK simulator. \bigskip
\noindent\textbf{Efficient Provers.} So far, we have considered unbounded provers, but unfortunately (fortunately?), there aren't real-life instances of all-powerful provers that we know of. And for cryptography we must make more reasonable assumptions about the provers. We will now assume provers are also bounded to be \emph{efficient}. Note that if the prover in our GI proof system already holds the isomorphism, then generating the proof only takes polynomial time, and it is easy to see that it satisfies the definition below. \smallskip
\begin{definition}[Efficient Prover Zero-Knowledge Proof]
We say $(P, V)$ is an efficient prover zero-knowledge proof system for a language $L$ and relation $R_L$ if \begin{enumerate}
\item The prover $P$ runs in polynomial time.
\item The protocol is \emph{complete}. That is, for every $x \in L$ there exists a witness $w \in R_L (x)$ such that $$\Pr [P(x,w) \leftrightarrow V(x) \ \emph{accepts}] = 1.$$
\item The protocol is \emph{sound} against unbounded provers. That is, for $\forall x \notin L$, we have $$\Pr [P^*(x,w) \leftrightarrow V(x) \ \emph{rejects}] \geq 1/2$$ for any prover $P^*$ of arbitrary computation power and any witness $w$.
\item There exists an expected polynomial time probabilistic machine $S$ (a simulator) such that for all PPT $V^*$, for all $x \in L, w \in R_L (x), z \in \{ 0, 1 \}^*$ we have $$\{ View_{V^*} (P(x,w) \leftrightarrow V^* (x,z)) \} \simeq_c \{ S^{V^*} (x,z) \} $$ \end{enumerate}
\end{definition}
The soundness probability can be amplified to be greater than any $1 - 1/2^k$, for arbitrary $k > 0$, by repeating the proof $k$ times. More precisely, we construct an efficient prover zero-knowledge proof system $(\tilde P, \tilde V)$ which repeats $(P,V)$ independently for $k$ times, and $\tilde V$ accepts if and only if $V$ accepts in all the executions.
It is easy to see that $\tilde P$ runs in polynomial time and that the protocol is complete.
Moreover, it has the following soundness guarantee:
for $\forall x \notin L$,
\begin{align*}
& \Pr \left[\tilde P^*(x,w) \leftrightarrow \tilde V(x) \ \text{rejects}\right]\\
= & 1- \Pr \left[\forall 1\leq i\leq k, P^*_i(x,w) \leftrightarrow V(x) \ \text{accepts}\right] \\
= & 1- \prod_{i=1}^k \Pr \left[P^*_i(x,w) \leftrightarrow V(x) \ \text{accepts}\right] \\
\geq& 1-\frac{1}{2^k}
\end{align*}
for any prover $\tilde P^*=(P^*_1, \cdots, P^*_k)$ of arbitrary computation power and any witness $w$.
Finally, it is zero-knowledge, namely, there exists an expected PPT $\tilde S$ such that for all PPT $\tilde V^*$, and for all $x \in L, w \in R_L (x), z \in \{ 0, 1 \}^*$,
$$\left\{ View_{\tilde V^*} (\tilde P(x,w) \leftrightarrow \tilde V^* (x,z)) \right\} \simeq_c \left\{ \tilde S^{\tilde V^*} (x,z) \right\}.$$
The construction of $\tilde S$ is repeating $S$ for $k$ times. We prove by hybrid argument that the above two distributions are indistinguishable. $H_i$ is defined to be the output of repeating $S$ for the first $i$ executions with $\tilde V^*$ and repeating $P$ for the rest $k-i$ executions. Then $H_0$ is the left distribution and $H_k$ is the right one. Any attacher that can distinguish the above two distributions leads to an attacker that can distinguish $H_{i-1}$ and $H_{i}$ for some $1\leq i \leq k$, which violates the zero-knowledge property of the original proof system $(P,V)$.
Similar to what we saw in previous definitions of zero-knowlege, the order of the quantifiers in item 4 matters.
If we quantify over $x$ and $w$ before quantifying over the simulator,
then we could hard-code $x$ and $w$ into our simulator. That is, for all $x \in L, w \in R_L (x)$, there exists an expected polynomial time probabilistic machine $S_{x,w}$ such that for all PPT $V^*$ and $z \in \{ 0, 1 \}^*$,
$$\{ View_{V^*} (P(x,w) \leftrightarrow V^* (x,z)) \} \simeq_c \{ S_{x,w}^{V^*} (x,z) \} $$
Since we would like our simulator to be universal, this is not acceptable.
If we quantify first over the verifier $V^*$ and then over simulators $S$, then this variant is considered as \emph{non-black-box zero-knowledge}. Our standard definition is considered as \emph{black-box zero-knowledge}. There also exist variants that use statistical indistinguishability rather than computational indistinguishability.
The $z$ in item 4 is considered as \emph{auxiliary input}. The auxiliary input is crucial for the above argument of soundness amplification.
We will discuss the importance of requiring expected polynomial time in the next section. \bigskip
% These are mostly discussed (including auxiliary inputs) in the next class, although the first definition is given below:
%
% {\definition {\normalfont\textbf{(Zero Knowledge Proof [ZK])}} For a language L we have a (perfect) \textit{ZK proof system} w.r.t. witness relation $R$ if $\exists$ an interactive proof system, $(\mathcal{P},\mathcal{V})$ s.t. $\exists$ a PPT machine $\mathcal{S}$ (called the simulator) s.t. $\forall x \in L$, $\forall w\in R(x)$, $\forall \mathcal{V}^*$, the following distributions are identical:
% $$View_{\mathcal{V}^*}(\mathcal{P}(x,w) \leftarrow \mathcal{V}^*(x))$$
% $$\mathcal{S}^{\mathcal{V}^*}(x)$$
% where $\mathcal{S}^{\mathcal{V}^*}(x)$ is the simulator with oracle access to $\mathcal{V}^*$.}