Zero KnowledgeProofsII

Embed Size (px)

Citation preview

  • 8/2/2019 Zero KnowledgeProofsII

    1/17

    Zero-KnowledgeZero-Knowledge

    ProofsProofsJ.W. PopeJ.W. Pope

    M.S. MathematicsM.S. MathematicsMay 2004May 2004

  • 8/2/2019 Zero KnowledgeProofsII

    2/17

    What is a Zero- KnowledgeWhat is a Zero- Knowledge

    Proof?Proof?

    A zero-knowledge proof is a way that aA zero-knowledge proof is a way that aprover can prove possession of aprover can prove possession of acertain piece of information to acertain piece of information to a

    verifier without revealing it.verifier without revealing it.This is done by manipulating dataThis is done by manipulating data

    provided by the verifier in a way thatprovided by the verifier in a way that

    would be impossible without thewould be impossible without thesecret information in question.secret information in question.

    A third party, reviewing the transcriptA third party, reviewing the transcriptcreated, cannot be convinced thatcreated, cannot be convinced that

    either prover or verifier knows theeither prover or verifier knows the

  • 8/2/2019 Zero KnowledgeProofsII

    3/17

    The Cave of the FortyThe Cave of the Forty

    ThievesThieves

  • 8/2/2019 Zero KnowledgeProofsII

    4/17

    The Cave of the FortyThe Cave of the Forty

    ThievesThieves

  • 8/2/2019 Zero KnowledgeProofsII

    5/17

    Properties of Zero-Properties of Zero-

    Knowledge ProofsKnowledge Proofs

    Completeness A prover who knowsCompleteness A prover who knowsthe secret information can prove itthe secret information can prove itwith probability 1.with probability 1.

    Soundness The probability that aSoundness The probability that aprover who does not know the secretprover who does not know the secretinformation can get away with it caninformation can get away with it can

    be made arbitrarily small.be made arbitrarily small.

  • 8/2/2019 Zero KnowledgeProofsII

    6/17

    An Example: HamiltonianAn Example: Hamiltonian

    CyclesCycles Peggy the prover wouldPeggy the prover would

    like to show Vic the verifierlike to show Vic the verifierthat an elementthat an element is ais amember of the subgroup ofmember of the subgroup ofZZnn*

    * generated bygenerated by , where, where

    has orderhas order . (i.e., does. (i.e., does kk== for some k such that 0for some k such that 0 k k ?)?)

    Peggy chooses a random j,Peggy chooses a random j,0 j 0 j 1, and sends Vic 1, and sends Vicjj..

    Vic chooses a random i = 0Vic chooses a random i = 0or 1, and sends it to Peggy.or 1, and sends it to Peggy.

    Peggy computes j + ik modPeggy computes j + ik mod, and sends it to Vic., and sends it to Vic.

    Vic checks thatVic checks that j + ikj + ik == jjikik

    == jjii..

  • 8/2/2019 Zero KnowledgeProofsII

    7/17

    Complexity TheoryComplexity Theory

    The last proof works because theThe last proof works because theproblem of solving discreteproblem of solving discretelogarithms is NP-complete (or islogarithms is NP-complete (or isbelieved to be, at any rate).believed to be, at any rate).

    It has been shown that all problemsIt has been shown that all problemsin NP have a zero-knowledge proofin NP have a zero-knowledge proof

    associated with them.associated with them.

  • 8/2/2019 Zero KnowledgeProofsII

    8/17

    Bit CommitmentsBit Commitments

    Flipping a coin down a wellFlipping a coin down a well Flipping a coin by telephoneFlipping a coin by telephone

    A value of 0 or 1 is committed to byA value of 0 or 1 is committed to bythe prover by encrypting it with athe prover by encrypting it with aone-way function, creating a blob.one-way function, creating a blob.

    The verifier can then unwrap thisThe verifier can then unwrap thisblob when it becomes necessary byblob when it becomes necessary byrevealing the key.revealing the key.

  • 8/2/2019 Zero KnowledgeProofsII

    9/17

    Bit CommitmentBit Commitment

    PropertiesProperties Concealing The verifier cannotConcealing The verifier cannot

    determine the value of the bit fromdetermine the value of the bit fromthe blob.the blob.

    Binding The prover cannot open theBinding The prover cannot open theblob as both a zero and a one.blob as both a zero and a one.

  • 8/2/2019 Zero KnowledgeProofsII

    10/17

    Bit Commitments: AnBit Commitments: An

    ExampleExample Let n = pq, where p and q are prime. Let m be aLet n = pq, where p and q are prime. Let m be a

    quadratic nonresidue modulo n. The values m andquadratic nonresidue modulo n. The values m andn are public, and the values p and q are knownn are public, and the values p and q are knownonly to Peggy.only to Peggy.

    Peggy commits to the bit b by choosing a randomPeggy commits to the bit b by choosing a randomx and sending Vic the blob mx and sending Vic the blob mbbxx22.. When the time comes for Vic to check the value ofWhen the time comes for Vic to check the value of

    the bit, Peggy simply reveals the values b and x.the bit, Peggy simply reveals the values b and x.

    Since no known polynomial-time algorithm existsSince no known polynomial-time algorithm existsfor solving the quadratic residues problem modulofor solving the quadratic residues problem moduloa composite n whose factors are unknown, hencea composite n whose factors are unknown, hencethis scheme is computationally concealing.this scheme is computationally concealing.

    On the other hand, it is perfectly binding, since if itOn the other hand, it is perfectly binding, since if it

    wasnt, m would have to be a quadratic residue, awasnt, m would have to be a quadratic residue, acontradiction.contradiction.

  • 8/2/2019 Zero KnowledgeProofsII

    11/17

    Bit Commitments and Zero-Bit Commitments and Zero-

    KnowledgeKnowledge Bit commitments are used in zero-Bit commitments are used in zero-

    knowledge proofs to encode theknowledge proofs to encode thesecret information.secret information.

    For example, zero-knowledge proofsFor example, zero-knowledge proofsbased on graph colorations exist. Inbased on graph colorations exist. Inthis case, bit commitment schemesthis case, bit commitment schemes

    are used to encode the colors.are used to encode the colors.

    Complex zero-knowledge proofs withComplex zero-knowledge proofs withlarge numbers of intermediate stepslarge numbers of intermediate stepsthat must be verified also use bitthat must be verified also use bit

    commitment schemes.commitment schemes.

  • 8/2/2019 Zero KnowledgeProofsII

    12/17

    ComputationalComputational

    AssumptionsAssumptions A zero-knowledge proof assumes theA zero-knowledge proof assumes the

    prover possesses unlimitedprover possesses unlimitedcomputational power.computational power.

    It is more practical in some cases toIt is more practical in some cases toassume that the proversassume that the proverscomputational abilities are bounded.computational abilities are bounded.

    In this case, we have a zero-In this case, we have a zero-knowledge argument.knowledge argument.

  • 8/2/2019 Zero KnowledgeProofsII

    13/17

    Proof vs. ArgumentProof vs. Argument

    Zero-Knowledge Proof:Zero-Knowledge Proof: UnconditionalUnconditional

    completenesscompleteness

    UnconditionalUnconditionalsoundnesssoundness Computational zero-Computational zero-

    knowledgeknowledge

    UnconditionallyUnconditionallybinding blobsbinding blobs ComputationallyComputationally

    concealing blobsconcealing blobs

    Zero-KnowledgeZero-KnowledgeArgument:Argument:

    UnconditionalUnconditionalcompletenesscompleteness

    ComputationalComputationalsoundnesssoundness

    Perfect zero-Perfect zero-knowledgeknowledge

    ComputationallyComputationallybinding blobsbinding blobs

    UnconditionallyUnconditionallyconcealing blobsconcealing blobs

  • 8/2/2019 Zero KnowledgeProofsII

    14/17

    ApplicationsApplications

    Zero-knowledge proofs can beZero-knowledge proofs can beapplied where secret knowledge tooapplied where secret knowledge toosensitive to reveal needs to besensitive to reveal needs to be

    verifiedverified Key authenticationKey authentication PIN numbersPIN numbers Smart cardsSmart cards

  • 8/2/2019 Zero KnowledgeProofsII

    15/17

    LimitationsLimitations

    A zero-knowledgeA zero-knowledgeproof is only asproof is only asgood as the secretgood as the secret

    it is trying toit is trying toconcealconceal Zero-knowledgeZero-knowledge

    proofs of identitiesproofs of identities

    in particular arein particular areproblematicproblematic

    The GrandmasterThe Grandmaster

    ProblemProblem

  • 8/2/2019 Zero KnowledgeProofsII

    16/17

    ResearchResearch

    I am currently working with Dr. CurtisI am currently working with Dr. CurtisBarefoot in the NMT Mathematics Dept. onBarefoot in the NMT Mathematics Dept. onmethods of applying zero-knowledgemethods of applying zero-knowledge

    proofs to mathematical induction: Can aproofs to mathematical induction: Can aprover prove a theorem via inductionprover prove a theorem via inductionwithout revealing any of the steps beyondwithout revealing any of the steps beyondthe base case?the base case?

    Possible application of methods developedPossible application of methods developedby Camenisch and Michels (or maybeby Camenisch and Michels (or maybenot?)not?)

  • 8/2/2019 Zero KnowledgeProofsII

    17/17

    ReferencesReferences

    Blum, M., How to Prove a Theorem So No One Else Can Claim It,Blum, M., How to Prove a Theorem So No One Else Can Claim It,Proceedings of the International Congress of Mathematicians, Berkeley,Proceedings of the International Congress of Mathematicians, Berkeley,California, 1986, pp. 1444-1451California, 1986, pp. 1444-1451

    Camenisch, J., M. Michels, Proving in Zero-Knowledge that a Number is theCamenisch, J., M. Michels, Proving in Zero-Knowledge that a Number is theProduct of Two Safe Primes, Eurocrypt 99, J. Stern, ed., Lecture Notes inProduct of Two Safe Primes, Eurocrypt 99, J. Stern, ed., Lecture Notes inComputer Science 1592, pp. 107-122, Springer-Verlag 1999Computer Science 1592, pp. 107-122, Springer-Verlag 1999

    Cramer, R., I. Dmgard, B. Schoenmakers, Proofs of Partial Hiding andCramer, R., I. Dmgard, B. Schoenmakers, Proofs of Partial Hiding and

    Simplified Design of Witness Hiding Protocols, Advances in Cryptology Simplified Design of Witness Hiding Protocols, Advances in Cryptology CRYPTO 94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-CRYPTO 94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994Verlag, 1994

    De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, On Monotone FormulaDe Santis, A., G. di Crescenzo, G. Persiano, M. Yung, On Monotone FormulaClosure of SZK, Proceedings of the 35Closure of SZK, Proceedings of the 35thth Symposium on the Foundations ofSymposium on the Foundations ofComputer Science, pp. 454-465, IEEE, 1994Computer Science, pp. 454-465, IEEE, 1994

    Feigenbaum, J., Overview of Interactive Proof Systems and Zero-Feigenbaum, J., Overview of Interactive Proof Systems and Zero-Knowledge, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEEKnowledge, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE

    Press 1992Press 1992 Quisquater, J.J., L. Guillou, T. Berson, How to Explain Zero-KnowledgeQuisquater, J.J., L. Guillou, T. Berson, How to Explain Zero-Knowledge

    Protocols to Your Children, Advances in Cryptology - CRYPTO 99, LectureProtocols to Your Children, Advances in Cryptology - CRYPTO 99, LectureNotes in Computer Science 435, pp. 628-631, 1990Notes in Computer Science 435, pp. 628-631, 1990

    Schneier, B., Applied Cryptography (2Schneier, B., Applied Cryptography (2ndnd edition), Wiley, 1996edition), Wiley, 1996 Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995