May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Michael O. RabinHarvard UniversityHebrew University
Algorithmic Game Theory Hebrew University
May 23, 2011
Practical Zero Knowledge Proofs Applied To Proving
Correctness Of Stable Matching Problems
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
• Motivation, Applications
• New Zero Knowledge Proofs
• Next Steps
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Stable Matchings – Hospitals/Residents
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
• Every Resident Ranks Hospitals:
Hospitals/Residents - Continued
Etc…
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
• No Pair Hospital-Resident So That:
Stable Matching
PrefersPrefers
Over
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Stable Matching – The Data H …………. H
X 1 ( i ) X L
( i )
1
• Resident : ………….
L
• Hospital : ………….……. R ………….……. R
1 M
y 1 ( j ) y
M
( j )
i
j
• Administrator Gets Data, Computes Stable Matching. Informs Hospitals/Residents.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Secrecy And Correctness • Hospitals Do Not Want Residents To
Know Their Rankings. • Residents Want Their Hospital
Rankings Kept Secret.• Everybody Wants Assurance Of
Correctness Of Announced Matchings.• Challenge: Proving Statements Such As:X t ( i )< , < X s
( i ) y
m
( j ) y n
( j )
While Keeping Values Secret.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Existing Technologies
Varieties of Zero-Knowledge Proofs and Arguments:
• Proving x ∈ L – an NP language
• Proving circuit satisfiability (at the bit level)
• Using homomorphic encryption to prove statements about encrypted values
• The method of obfuscated circuits (A. Yao)
• Multiparty computations, hiding inputs, intermediate results
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Our Approach
We work directly with numbers x,y,z ∈ Fp, p prime, say p~264. No need to go down to the bit/gate level or work with heavy homomorphic encryptions.
A wide range of computations and ZK Proofs of their correctness is encompassed within the formulation of Generalized Straight-Line Computations in Fp and verification of correctness of results of such computations.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Generalized Straight-Line ComputationsLet x1,…,xn be inputs from P1,…,Pn.
An Evaluator Prover (EP) conducts a generalized straight-line computation (GSLC) producing Outputs: xL , xL+1 ), etc.x1, x2, …, xn, xn+1, …, xL = fL(x1,…,xn).
xL+1= fL+1(x1,…,xn), etc. (1)
For all m > n, ∃ i, j < m such that xm = xi + xj (mod p), or xm or xm = xi × xj (mod p) or xm = (xi <= xj). More general computations treatable.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Posting And Proving Correctness of Results• The Evaluator Prover (EP) posts the
results (outputs):
xL = fL(x1,…,xn), xL+1= fL+1(x1,…,xn), etc.
• The EP posts a ZK Proof of the correctness of the results
• The proof of correctness is checked by a Verifier VER interacting with the EP
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Flow of Proof/Verification• EP creates proof
• Presents Proof to Verifier VER
• VER challenges: EP
• EP responds: VER
• VER checks correctness of responses
C1, C2, …
R1, R2, …
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Our Magical Solution
Values x ∈ {0,1,..,p-1} = Zp, prime p ~ 264, +, ×, mod p
Random representations:
RR(x) = X = (u,v), val(X) = (u+v) mod p = x
u R {0,1,…,p-1}, v = (x-u) mod p
COM(X) = (COM(u),COM(v))
Evaluator Prover needs to ZKP statements such as val(X) + val(Y) = val(Z), val(X) × val(Y) = val(Z),val(X) <= val(Y)
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Commitment To ValuesG is a group, |G| = p.g1 generator, g2= g1
m, m=logg1(g2)Assume: Discrete Log Problem for G intractableGiven u ϵ Fp r [0,p-1]Define: COM(u,r)=g1
rg2u
COM is information theoretically hiding; computationally binding.
In practice, commitment is made using encryption E( , )
(say 128-bit key AES)COM(u) = E(K, u)Decommit/Open: reveal key K
R
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Proof/Verification of Addition
X = (u1,v1), Y = (u2,v2), Z = (u3,v3)Claim: val(X)+val(Y)=val(Z) (3)Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3(3) True iff ∃ r ∈ Fp s.t. X+Y=Z+(r,-r)
EP reveals rVER c {1,2}, send to EP say
c=1EP reveals u1,u2,u3 (or if c=2; v1, v2, v3)VER checks u1+u2=u3+r (or v1+v2=v3-r)
Prob( (3) false and check succeeds) ≤ 1/2
R
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Illustration of the Method
• Addition– p=17– x=7, y=7, x+y=z=14– X=(3,4), Y=(15,9), Z=(8,6)– CLAIM: val(X)+val(Y) = val(Z)
3
4
15
9
8
6
X Y Z
10
-10
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Illustration of the Method
• Addition– p=17– x=7, y=7, x+y=z=14– X=(3,4), Y=(15,9), Z=(8,6)Auc posts (10,-10). Verifier: c R {1,2}
3
4
15
9
8
6
X Y Z
c=1
10
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Sequence of Additions• Let COM(X), COM(Y), COM(W), COM(U), COM(Z), etc
be posted
• EP claims VAL(X)+VAL(Y)=VAL(W), VAL(W)+VAL(U)=VAL(Z), etc
• Correctness of sequence of additions can be simultaneously proved/verified as above.
• If Challenge is c=1, all first coordinates are revealed by EP. If Challenge is c=2, all second coordinates are revealed.
• Prob( check succeeds but even one addition false ) ≤ 1/2
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Amplification of Confidence• EP posts k “Translations” of the proof of sequence
of same additions
COM(X(i)), COM(Y(i)), COM(W(i)), COM(U(i)), COM(Z(i)), etc for 1 <= i <= k
where val(X(1)) = … = val(X(k))val(Y(1)) = … = val(Y(k)) etc
• VER creates k independent Challengesc1,…,ck {1,2}
• EP reveals all coordinates ci in Translation i
• Prob( all checks succeed while even one addition false) ≤ 1/2k
R
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Proof/Verification of Multiplication
X = (u1,v1), Y = (u2,v2), Z = (u3,v3)Claim: val(X) × val(Y) = val(Z) (4)Posted: (COM(ui),COM(vi)), 1 ≤ i ≤ 3
EP creates Z(0) = (u1 × u2, v1 × v2), Z(1) = (u1 × v2 + r1, -r1), Z(2) = (u2 × v1+ r2, -r2) where r1 , r2 Fp
Clearly, (4) true iff val(Z) = val(Z(0)) + val(Z(1)) + val(Z(2))
EP posts COM(Z(0)), COM(Z(1)), COM(Z(2))VER tests correctness of one of the constructions
of Z(0), Z(1), Z(2)
R
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Sequence of Additions & Multiplications• A Translation TR of a GSLC will include a number of
additions and a number of multiplications
• VER will randomly decide whether to check correctness of all additions or correctness of all multiplications
• If checking correctness of multiplications VER will randomly choose which aspect (i.e. structure) of Z(0), Z(1), or Z(2) to check for correctness. Same aspect for all multiplications.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Amplification of ConfidenceMain Theorem: if EP constructs and posts k
Translations TR(1),…,TR(k) of a GSLC and if for every TR(i) VER randomly and independently chooses to check for correctness of additions with probability 1/2, correctness of all Z(1) with probability 1/4, and correctness of all Z(2) with probability 1/4, then
Prob(All checks correct and posted computation results incorrect) < (3/4)k
Comment: correctness of structure of all Z(0) is done together with correctness of additions.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Proving 0 ≤ x ≤ B for B < p/2 B is explicitly given integer. If we prove 0 ≤ x,y ≤ B and
0 ≤ (x-y) mod p ≤ B, it follows that x ≤ y.
Let b2 be a bound on possible bid values.
Following [BCDdG87], given 0 ≤ z ≤ b, the EP can supply within the framework of GSLC translations a proof that –b ≤ z ≤ 2b (i.e. as an integer p-b ≤ z < p or 0 ≤ z ≤ 2b).
How do we get rid of the first possibility?
Lagrange proved that every integer x = z12 + z2
2 + z32 + z4
2. R77 in lectures [RS86] gave an efficient polynomial-time algorithm for computing such a representation. For numbers x ≤ 232, Schorn’s Python implementation computed 60,000 representations in 1 second.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Proving 0 ≤ x ≤ B for B < p/2 [CS03] proposed using Lagrange in the context of proving
range statements for encrypted numbers.
We apply Lagrange + [RS86] in our context of GSLCs.
Given 0 ≤ x ≤ b2 < p/32, the EP computes z1,…,z4 such that x = z1
2 + z22 + z3
2 + z42. Each zi is between 0 and b.
The numbers x, z1, …, x4 are represented as usual in a translation TR by pairs X, Z1, …, Z4.
EP incorporates in the GSLC steps for enabling verification that -b ≤ val(Zi) ≤ 2b and that val(X) = val(Z1)2 + … + val(Z4)2. This implies 0 ≤ x ≤ 16b2 = B. Now 32b2 < p, i.e. 16b2 < p/2.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
New Challenge - Solved• Proving Announced matching is stable involves
statements:
X s ( i ) ⌐ [ ( < ) ^ ( <
) ]X t ( i ) y i
( s ) y m ( s )
• Without Revealing TruthValue ( < ), TruthValue ( < ).
X s ( i ) X t
( i )y i
( s ) y m ( s )
• EP can ZKP for posted COM(x), COM(y), COM(z) that:
Val(Z) =
1 Val(x) < Val(y)
0 else
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Form of k-Translations ProofP1, …, Pn have submitted to EP values x1, …. xn
Form of proof created by EP:
TR(1) = COM(X1(1)), … , COM(Xn
(1)), ... , (translation of GSLC program)
…TR(k) = COM(X1
(k)), … , COM(Xn(k)), ... , (translation
of GSLC program)
How can VER ascertain that val(Xj(1)) = … =
val(Xj(k)) = xj
1 ≤ j ≤ n ? i.e. that rows of commitments to input values are value consistent and represent submitted x1, …. xn
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
P1…Pn submit Inputs x1 … xn to EP• Pi , 1 ≤ i ≤ n, prepares 3k random
representations Y1(i), … , Y3k
(i) of his value xi.
• Pi submits commitments COM(Y1(i)), … ,
COM(Y3k(i)) to the EP
• Purpose of multiple representations of value xi to enable EP to prepare multiple Translations of GSLC
• EP posts all commitments from all Pi , 1 ≤ i ≤ n.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Secure Bulletin Board
COM(Y1(1)), COM(Y2
(1)), … , COM(Y3k(1))
COM(Y1(2)), COM(Y2
(2)), … , COM(Y3k(2))
…
COM(Y1(n)), COM(Y2
(n)), … , COM(Y3k(n))
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Creating Additional Input Value Representations
• Every Pi opens (reveals) Y1(i), … , Y3k
(i) to EP
• EP chooses L (say L = 10)
• EP constructs additional 6kL = m columns
COM(X1(1)), COM(X2
(1)), … , COM(Xm(1))
COM(X1(2)), COM(X2
(2)), … , COM(Xm(2)) (5)
…
COM(X1(n)), COM(X2
(n)), … , COM(Xm(n))
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Proving Value Consistency• Interactively with VER, EP proves
1) In the n × 3k posted matrix of representation of input values, at least 2k columns are pair-wise value consistent.By definition, the common 2k majority of values in row i is Pi’s input xi.
2) In the n × m matrix (5), at least (1 – 1/L)m columns are pair-wise value consistent with the majority values of the input matrix.
3) The interactive proof involves all input representations and 3kL columns of the matrix (5).
4) The remaining untouched 3kL columns of the matrix (5) are used by EP to construct 3L proofs of correctness of announced GSLC results.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Assurance of Proof of Value Consistency
Theorem: If either (1) or (2) are false, with respect to the inputs n × 3k matrix or the EP created n × m matrix (5) then:Prob(VER accepts proof) ≤ 1/2k
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Implementing EP by secure processorOne possibility for an EP is a secure processor (SP)
assumed to accept inputs and post results and proofs of correctness according to the previous protocols.
No assumption is made about the correctness of internal computations. In fact the proof of correctness and its verification ensure correctness.
Problem: The SP is tested and certified with respect to the content it can output, however there may be covert channels. Worst possibility: SP leaks, say, the value x1 through randomness employed in construction of a translation.
Solution: Use another secure processor RSP – a universal source of randomness.
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Experimental ResultsComparing 100-bidder secrecy-preserving Vickrey auction
using Paillier encryption [PRST06] with 2048-bit key against EP method with k = 40, p ~ 2128.
Operation New HomomorphicPreparing the proof 2 ms 804 minutesDownloading the proof 40 ms < 30 secondsVerifying the proof 2 ms 162 minutes
May, 2011Algorithmic Game Theory Workshop
May, 2011Algorithmic Game Theory Workshop
Entities: E1, … , Ek; candidates: C1, …, Cm E1 preference list: Ci1, …, Cim C1 preference list: Ej1, …, Ejk etc.Preference Lists: SecretEP computes stable matching
can ZK prove correctness
Matching Problems (H. Varian)