Michael O. Rabin Harvard University Hebrew University

May, 2011Algorithmic Game Theory Workshop


Michael O. RabinHarvard UniversityHebrew University

Algorithmic Game Theory Hebrew University

May 23, 2011

Practical Zero Knowledge Proofs Applied To Proving

Correctness Of Stable Matching Problems



• Motivation, Applications

• New Zero Knowledge Proofs

• Next Steps



Stable Matchings – Hospitals/Residents



• Every Resident Ranks Hospitals:

Hospitals/Residents - Continued

Etc…



• No Pair Hospital-Resident So That:

Stable Matching

PrefersPrefers

Over



Stable Matching – The Data H …………. H

X 1 ( i ) X L

( i )

1

• Resident : ………….

L

• Hospital : ………….……. R ………….……. R

1 M

y 1 ( j ) y

M

( j )

i

j

• Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.



Secrecy And Correctness • Hospitals Do Not Want Residents To

Know Their Rankings. • Residents Want Their Hospital

Rankings Kept Secret.• Everybody Wants Assurance Of

Correctness Of Announced Matchings.• Challenge: Proving Statements Such As:X t ( i )< , < X s

( i ) y

m

( j ) y n

( j )

While Keeping Values Secret.



Existing Technologies

Varieties of Zero-Knowledge Proofs and Arguments:

• Proving x ∈ L – an NP language

• Proving circuit satisfiability (at the bit level)

• Using homomorphic encryption to prove statements about encrypted values

• The method of obfuscated circuits (A. Yao)

• Multiparty computations, hiding inputs, intermediate results



Our Approach

We work directly with numbers x,y,z ∈ Fp, p prime, say p~264. No need to go down to the bit/gate level or work with heavy homomorphic encryptions.

A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in Fp and verification of correctness of results of such computations.



Generalized Straight-Line ComputationsLet x1,…,xn be inputs from P1,…,Pn.

An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: xL , xL+1 ), etc.x1, x2, …, xn, xn+1, …, xL = fL(x1,…,xn).

xL+1= fL+1(x1,…,xn), etc. (1)

For all m > n, ∃ i, j < m such that xm = xi + xj (mod p), or xm or xm = xi × xj (mod p) or xm = (xi <= xj). More general computations treatable.



Posting And Proving Correctness of Results• The Evaluator Prover (EP) posts the

results (outputs):

xL = fL(x1,…,xn), xL+1= fL+1(x1,…,xn), etc.

• The EP posts a ZK Proof of the correctness of the results

• The proof of correctness is checked by a Verifier VER interacting with the EP



Flow of Proof/Verification• EP creates proof

• Presents Proof to Verifier VER

• VER challenges: EP

• EP responds: VER

• VER checks correctness of responses

C1, C2, …

R1, R2, …



Our Magical Solution

Values x ∈ {0,1,..,p-1} = Zp, prime p ~ 264, +, ×, mod p

Random representations:

RR(x) = X = (u,v), val(X) = (u+v) mod p = x

u R {0,1,…,p-1}, v = (x-u) mod p

COM(X) = (COM(u),COM(v))

Evaluator Prover needs to ZKP statements such as val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z),val(X) <= val(Y)



Commitment To ValuesG is a group, |G| = p.g1 generator, g2= g1

m, m=logg1(g2)Assume: Discrete Log Problem for G intractableGiven u ϵ Fp r [0,p-1]Define: COM(u,r)=g1

rg2u

COM is information theoretically hiding; computationally binding.

In practice, commitment is made using encryption E( , )

(say 128-bit key AES)COM(u) = E(K, u)Decommit/Open: reveal key K

R



Proof/Verification of Addition

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)Claim: val(X)+val(Y)=val(Z) (3)Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3(3) True iff ∃ r ∈ Fp s.t. X+Y=Z+(r,-r)

EP reveals rVER c {1,2}, send to EP say

c=1EP reveals u1,u2,u3 (or if c=2; v1, v2, v3)VER checks u1+u2=u3+r (or v1+v2=v3-r)

Prob( (3) false and check succeeds) ≤ 1/2

R



Illustration of the Method

• Addition– p=17– x=7, y=7, x+y=z=14– X=(3,4), Y=(15,9), Z=(8,6)– CLAIM: val(X)+val(Y) = val(Z)

3

4

15

9

8

6

X Y Z

10

-10



Illustration of the Method

• Addition– p=17– x=7, y=7, x+y=z=14– X=(3,4), Y=(15,9), Z=(8,6)Auc posts (10,-10). Verifier: c R {1,2}

3

4

15

9

8

6

X Y Z

c=1

10



Sequence of Additions• Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc

be posted

• EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc

• Correctness of sequence of additions can be simultaneously proved/verified as above.

• If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed.

• Prob( check succeeds but even one addition false ) ≤ 1/2



Amplification of Confidence• EP posts k “Translations” of the proof of sequence

of same additions

COM(X(i)), COM(Y(i)), COM(W(i)), COM(U(i)), COM(Z(i)), etc for 1 <= i <= k

where val(X(1)) = … = val(X(k))val(Y(1)) = … = val(Y(k)) etc

• VER creates k independent Challengesc1,…,ck {1,2}

• EP reveals all coordinates ci in Translation i

• Prob( all checks succeed while even one addition false) ≤ 1/2k

R



Proof/Verification of Multiplication

X = (u1,v1), Y = (u2,v2), Z = (u3,v3)Claim: val(X) × val(Y) = val(Z) (4)Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3

EP creates Z(0) = (u1 × u2, v1 × v2), Z(1) = (u1 × v2 + r1, -r1), Z(2) = (u2 × v1+ r2, -r2) where r1 , r2 Fp

Clearly, (4) true iff val(Z) = val(Z(0)) + val(Z(1)) + val(Z(2))

EP posts COM(Z(0)), COM(Z(1)), COM(Z(2))VER tests correctness of one of the constructions

of Z(0), Z(1), Z(2)

R



Sequence of Additions & Multiplications• A Translation TR of a GSLC will include a number of

additions and a number of multiplications

• VER will randomly decide whether to check correctness of all additions or correctness of all multiplications

• If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z(0), Z(1), or Z(2) to check for correctness. Same aspect for all multiplications.



Amplification of ConfidenceMain Theorem: if EP constructs and posts k

Translations TR(1),…,TR(k) of a GSLC and if for every TR(i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z(1) with probability 1/4, and correctness of all Z(2) with probability 1/4, then

Prob(All checks correct and posted computation results incorrect) < (3/4)k

Comment: correctness of structure of all Z(0) is done together with correctness of additions.



Proving 0 ≤ x ≤ B for B < p/2 B is explicitly given integer. If we prove 0 ≤ x,y ≤ B and

0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y.

Let b2 be a bound on possible bid values.

Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b).

How do we get rid of the first possibility?

Lagrange proved that every integer x = z12 + z2

2 + z32 + z4

2. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 232, Schorn’s Python implementation computed 60,000 representations in 1 second.



Proving 0 ≤ x ≤ B for B < p/2 [CS03] proposed using Lagrange in the context of proving

range statements for encrypted numbers.

We apply Lagrange + [RS86] in our context of GSLCs.

Given 0 ≤ x ≤ b2 < p/32, the EP computes z1,…,z4 such that x = z1

2 + z22 + z3

2 + z42. Each zi is between 0 and b.

The numbers x, z1, …, x4 are represented as usual in a translation TR by pairs X, Z1, …, Z4.

EP incorporates in the GSLC steps for enabling verification that -b ≤ val(Zi) ≤ 2b and that val(X) = val(Z1)2 + … + val(Z4)2. This implies 0 ≤ x ≤ 16b2 = B. Now 32b2 < p, i.e. 16b2 < p/2.



New Challenge - Solved• Proving Announced matching is stable involves

statements:

X s ( i ) ⌐ [ ( < ) ^ ( <

) ]X t ( i ) y i

( s ) y m ( s )

• Without Revealing TruthValue ( < ), TruthValue ( < ).

X s ( i ) X t

( i )y i

( s ) y m ( s )

• EP can ZKP for posted COM(x), COM(y), COM(z) that:

Val(Z) =

1 Val(x) < Val(y)

0 else



Form of k-Translations ProofP1, …, Pn have submitted to EP values x1, …. xn

Form of proof created by EP:

TR(1) = COM(X1(1)), … , COM(Xn

(1)), ... , (translation of GSLC program)

…TR(k) = COM(X1

(k)), … , COM(Xn(k)), ... , (translation

of GSLC program)

How can VER ascertain that val(Xj(1)) = … =

val(Xj(k)) = xj

1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x1, …. xn



P1…Pn submit Inputs x1 … xn to EP• Pi , 1 ≤ i ≤ n, prepares 3k random

representations Y1(i), … , Y3k

(i) of his value xi.

• Pi submits commitments COM(Y1(i)), … ,

COM(Y3k(i)) to the EP

• Purpose of multiple representations of value xi to enable EP to prepare multiple Translations of GSLC

• EP posts all commitments from all Pi , 1 ≤ i ≤ n.



Secure Bulletin Board

COM(Y1(1)), COM(Y2

(1)), … , COM(Y3k(1))

COM(Y1(2)), COM(Y2

(2)), … , COM(Y3k(2))

…

COM(Y1(n)), COM(Y2

(n)), … , COM(Y3k(n))



Creating Additional Input Value Representations

• Every Pi opens (reveals) Y1(i), … , Y3k

(i) to EP

• EP chooses L (say L = 10)

• EP constructs additional 6kL = m columns

COM(X1(1)), COM(X2

(1)), … , COM(Xm(1))

COM(X1(2)), COM(X2

(2)), … , COM(Xm(2)) (5)

…

COM(X1(n)), COM(X2

(n)), … , COM(Xm(n))



Proving Value Consistency• Interactively with VER, EP proves

1) In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent.By definition, the common 2k majority of values in row i is Pi’s input xi.

2) In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix.

3) The interactive proof involves all input representations and 3kL columns of the matrix (5).

4) The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.



Assurance of Proof of Value Consistency

Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then:Prob(VER accepts proof) ≤ 1/2k



Implementing EP by secure processorOne possibility for an EP is a secure processor (SP)

assumed to accept inputs and post results and proofs of correctness according to the previous protocols.

No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness.

Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x1 through randomness employed in construction of a translation.

Solution: Use another secure processor RSP – a universal source of randomness.



Experimental ResultsComparing 100-bidder secrecy-preserving Vickrey auction

using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ 2128.

Operation New HomomorphicPreparing the proof 2 ms 804 minutesDownloading the proof 40 ms < 30 secondsVerifying the proof 2 ms 162 minutes



Entities: E1, … , Ek; candidates: C1, …, Cm E1 preference list: Ci1, …, Cim C1 preference list: Ej1, …, Ejk etc.Preference Lists: SecretEP computes stable matching

can ZK prove correctness

Matching Problems (H. Varian)

Michael O. Rabin Harvard University Hebrew University

Documents

Transcript of Michael O. Rabin Harvard University Hebrew University