Zero Knowledge (AKA ZK) proofs are stories of the following type: side A states a claim and proves it to side B, after some deliberation between them, such that:
This Wikipedia article contains an excellent explanation of the idea, with some concrete examples.
In this series I’ll deal with ZK arguments of knowledge, which are not exactly the same as proofs, but they’re close enough. In short: a ZK proof can be trusted completely, even if the side who’s trying to prove their claim (usually referred to as “the prover”) has unlimited computational power. ZK argument-of-knowledge can be trusted under the assumption that if the prover indeed tries to cheat, it is polynomialy bounded (if you use credit cards on the internet, then you already assume that, btw).
In the world of ZK proofs, the other side of the exchange is often called “the verifier”. I’ll stick to this terminology here.
Given a sequence of numbers a0,a1,…,a**n−1a0,a1,…,an−1, can one partition this sequence into two subsets that sum up to the same number?
If the sequence in question is 1,9,8,0,2,21,9,8,0,2,2, then the answer is clearly yes since 2+9=8+1+2+02+9=8+1+2+0.
However if the sequence is 2,3,4,5,6,72,3,4,5,6,7, then the answer is clearly no, since the sum is odd, and therefore there cannot be two subsets summing exactly to half of it each (the numbers are all integers).
While these are simple enough instances, in general this problem is NP-complete (though it has a pseudo-polynomial algorithm).
Suppose we have a python list ll of numbers, that defines our Partition Problem instance. We’ll say that another list mm is a satisfying assignment if:
Note that this is equivalent to the statement of the partition problem, if we think of a ‘1’ in mm as assigning its corresponding number in ll to the left side of the equation, and ‘-1’ as assigning it to the right side.
Given ll, a proof for its satisfiability can be given by revealing mm, but that would violate the ZK requirement.
Let’s rewrite ll as the partial sum list of its dot product with mm.
Mathematically speaking, let p**i:=∑0≤k<i**l[k]⋅m[k]pi:=∑0≤k So if l=[4,11,8,1]l=[4,11,8,1], and m=[1,−1,1,−1]m=[1,−1,1,−1], then pp will be one element longer: p=[0,4,−7,1,0]p=[0,4,−7,1,0]. Note that pp now has two interesting properties, if mm is indeed a satisfying assignment: So here’s a first draft for a ZK protocol: The verifier chooses a random 0≤i≤n0≤i≤n. If i=ni=n, the verifier asks the prover to provide p[0]p[0] and p[n]p[n] and checks that they are both 0. Otherwise, the verifier asks the prover to provide p[i]p[i] and p[i+1]p[i+1] and checks that indeed |l[i]|=|p[i+1]−p[i]||l[i]|=|p[i+1]−p[i]| (recall that ll is known to the verifier, as part of the claim made by the prover). The above contains an implicit assumption that when the verifier asks the prover to provide some data, the prover will indeed provide it honestly. We don’t want to assume that, but we postpone dealing with this issue to the next post. For now, let’s assume everything is kosher. An observant reader will probably point out that asking about a single element doesn’t mean much. And that’s true, we’d like to ask many queries, and after enough of them - we’ll be certain that the claim is true. We’ll quantify this more accurately in the third (and last) post. Each query reveals something about mm, and so it is not zero-knowledge. Consequently, after enough queries - mm can be completely revealed. That’s terrible! Let’s fix it. Mathematically speaking, we usually say that something provides no new information, if it appears random, or more precisely - if it is uniformly distributed over some appropriately chosen domain. Without getting into the exact definition, this means that to make something ZK, we mix it with randomness. So here’s how we do it here. Now suppose that before each query - we recompute this randomness (i.e. - flip the coin and change mm, and choose a random number rr and add it to the elements of pp). If we choose rr carefully, then indeed, every two consecutive elements of pp will differ (in absolute value) by the corresponding element in ll but look otherwise random. So, here’s the first piece of code we’ll need, something that takes a problem (i.e. ll) and a satisfying assignment (i.e. mm) and constructs a witness (i.e. pp) that will attest to the satisfiability of the problem instance: This post didn’t have nearly enough images as a blog post should have. Her’e one to make up for it: Part II Part III 原文:https://www.shirpeled.com/2018/09/a-hands-on-tutorial-for-zero-knowledge.html
What if the prover is lying???
This doesn’t prove anything!
This is not Zero-Knowledge!
Manufacturing Zero-Knowledge
import random
def get_witness(problem, assignment):
"""
Given an instance of a partition problem via a list of numbers (the problem) and a list of
(-1, 1), we say that the assignment satisfies the problem if their dot product is 0.
"""
sum = 0
mx = 0
side_obfuscator = 1 - 2 * random.randint(0, 1)
witness = [sum]
assert len(problem) == len(assignment)
for num, side in zip(problem, assignment):
assert side == 1 or side == -1
sum += side * num * side_obfuscator
witness += [sum]
mx = max(mx, num)
# make sure that it is a satisfying assignment
assert sum == 0
shift = random.randint(0, mx)
witness = [x + shift for x in witness]
return witness