-
8/2/2019 Zero KnowledgeProofsII
1/17
Zero-KnowledgeZero-Knowledge
ProofsProofsJ.W. PopeJ.W. Pope
M.S. MathematicsM.S. MathematicsMay 2004May 2004
-
8/2/2019 Zero KnowledgeProofsII
2/17
What is a Zero- KnowledgeWhat is a Zero- Knowledge
Proof?Proof?
A zero-knowledge proof is a way that aA zero-knowledge proof is
a way that aprover can prove possession of aprover can prove
possession of acertain piece of information to acertain piece of
information to a
verifier without revealing it.verifier without revealing it.This
is done by manipulating dataThis is done by manipulating data
provided by the verifier in a way thatprovided by the verifier
in a way that
would be impossible without thewould be impossible without
thesecret information in question.secret information in
question.
A third party, reviewing the transcriptA third party, reviewing
the transcriptcreated, cannot be convinced thatcreated, cannot be
convinced that
either prover or verifier knows theeither prover or verifier
knows the
-
8/2/2019 Zero KnowledgeProofsII
3/17
The Cave of the FortyThe Cave of the Forty
ThievesThieves
-
8/2/2019 Zero KnowledgeProofsII
4/17
The Cave of the FortyThe Cave of the Forty
ThievesThieves
-
8/2/2019 Zero KnowledgeProofsII
5/17
Properties of Zero-Properties of Zero-
Knowledge ProofsKnowledge Proofs
Completeness A prover who knowsCompleteness A prover who
knowsthe secret information can prove itthe secret information can
prove itwith probability 1.with probability 1.
Soundness The probability that aSoundness The probability that
aprover who does not know the secretprover who does not know the
secretinformation can get away with it caninformation can get away
with it can
be made arbitrarily small.be made arbitrarily small.
-
8/2/2019 Zero KnowledgeProofsII
6/17
An Example: HamiltonianAn Example: Hamiltonian
CyclesCycles Peggy the prover wouldPeggy the prover would
like to show Vic the verifierlike to show Vic the verifierthat
an elementthat an element is ais amember of the subgroup ofmember
of the subgroup ofZZnn*
* generated bygenerated by , where, where
has orderhas order . (i.e., does. (i.e., does kk== for some k
such that 0for some k such that 0 k k ?)?)
Peggy chooses a random j,Peggy chooses a random j,0 j 0 j 1, and
sends Vic 1, and sends Vicjj..
Vic chooses a random i = 0Vic chooses a random i = 0or 1, and
sends it to Peggy.or 1, and sends it to Peggy.
Peggy computes j + ik modPeggy computes j + ik mod, and sends it
to Vic., and sends it to Vic.
Vic checks thatVic checks that j + ikj + ik == jjikik
== jjii..
-
8/2/2019 Zero KnowledgeProofsII
7/17
Complexity TheoryComplexity Theory
The last proof works because theThe last proof works because
theproblem of solving discreteproblem of solving discretelogarithms
is NP-complete (or islogarithms is NP-complete (or isbelieved to
be, at any rate).believed to be, at any rate).
It has been shown that all problemsIt has been shown that all
problemsin NP have a zero-knowledge proofin NP have a
zero-knowledge proof
associated with them.associated with them.
-
8/2/2019 Zero KnowledgeProofsII
8/17
Bit CommitmentsBit Commitments
Flipping a coin down a wellFlipping a coin down a well Flipping
a coin by telephoneFlipping a coin by telephone
A value of 0 or 1 is committed to byA value of 0 or 1 is
committed to bythe prover by encrypting it with athe prover by
encrypting it with aone-way function, creating a blob.one-way
function, creating a blob.
The verifier can then unwrap thisThe verifier can then unwrap
thisblob when it becomes necessary byblob when it becomes necessary
byrevealing the key.revealing the key.
-
8/2/2019 Zero KnowledgeProofsII
9/17
Bit CommitmentBit Commitment
PropertiesProperties Concealing The verifier cannotConcealing
The verifier cannot
determine the value of the bit fromdetermine the value of the
bit fromthe blob.the blob.
Binding The prover cannot open theBinding The prover cannot open
theblob as both a zero and a one.blob as both a zero and a one.
-
8/2/2019 Zero KnowledgeProofsII
10/17
Bit Commitments: AnBit Commitments: An
ExampleExample Let n = pq, where p and q are prime. Let m be
aLet n = pq, where p and q are prime. Let m be a
quadratic nonresidue modulo n. The values m andquadratic
nonresidue modulo n. The values m andn are public, and the values p
and q are knownn are public, and the values p and q are knownonly
to Peggy.only to Peggy.
Peggy commits to the bit b by choosing a randomPeggy commits to
the bit b by choosing a randomx and sending Vic the blob mx and
sending Vic the blob mbbxx22.. When the time comes for Vic to check
the value ofWhen the time comes for Vic to check the value of
the bit, Peggy simply reveals the values b and x.the bit, Peggy
simply reveals the values b and x.
Since no known polynomial-time algorithm existsSince no known
polynomial-time algorithm existsfor solving the quadratic residues
problem modulofor solving the quadratic residues problem moduloa
composite n whose factors are unknown, hencea composite n whose
factors are unknown, hencethis scheme is computationally
concealing.this scheme is computationally concealing.
On the other hand, it is perfectly binding, since if itOn the
other hand, it is perfectly binding, since if it
wasnt, m would have to be a quadratic residue, awasnt, m would
have to be a quadratic residue, acontradiction.contradiction.
-
8/2/2019 Zero KnowledgeProofsII
11/17
Bit Commitments and Zero-Bit Commitments and Zero-
KnowledgeKnowledge Bit commitments are used in zero-Bit
commitments are used in zero-
knowledge proofs to encode theknowledge proofs to encode
thesecret information.secret information.
For example, zero-knowledge proofsFor example, zero-knowledge
proofsbased on graph colorations exist. Inbased on graph
colorations exist. Inthis case, bit commitment schemesthis case,
bit commitment schemes
are used to encode the colors.are used to encode the colors.
Complex zero-knowledge proofs withComplex zero-knowledge proofs
withlarge numbers of intermediate stepslarge numbers of
intermediate stepsthat must be verified also use bitthat must be
verified also use bit
commitment schemes.commitment schemes.
-
8/2/2019 Zero KnowledgeProofsII
12/17
ComputationalComputational
AssumptionsAssumptions A zero-knowledge proof assumes theA
zero-knowledge proof assumes the
prover possesses unlimitedprover possesses
unlimitedcomputational power.computational power.
It is more practical in some cases toIt is more practical in
some cases toassume that the proversassume that the
proverscomputational abilities are bounded.computational abilities
are bounded.
In this case, we have a zero-In this case, we have a
zero-knowledge argument.knowledge argument.
-
8/2/2019 Zero KnowledgeProofsII
13/17
Proof vs. ArgumentProof vs. Argument
Zero-Knowledge Proof:Zero-Knowledge Proof:
UnconditionalUnconditional
completenesscompleteness
UnconditionalUnconditionalsoundnesssoundness Computational
zero-Computational zero-
knowledgeknowledge
UnconditionallyUnconditionallybinding blobsbinding blobs
ComputationallyComputationally
concealing blobsconcealing blobs
Zero-KnowledgeZero-KnowledgeArgument:Argument:
UnconditionalUnconditionalcompletenesscompleteness
ComputationalComputationalsoundnesssoundness
Perfect zero-Perfect zero-knowledgeknowledge
ComputationallyComputationallybinding blobsbinding blobs
UnconditionallyUnconditionallyconcealing blobsconcealing
blobs
-
8/2/2019 Zero KnowledgeProofsII
14/17
ApplicationsApplications
Zero-knowledge proofs can beZero-knowledge proofs can beapplied
where secret knowledge tooapplied where secret knowledge
toosensitive to reveal needs to besensitive to reveal needs to
be
verifiedverified Key authenticationKey authentication PIN
numbersPIN numbers Smart cardsSmart cards
-
8/2/2019 Zero KnowledgeProofsII
15/17
LimitationsLimitations
A zero-knowledgeA zero-knowledgeproof is only asproof is only
asgood as the secretgood as the secret
it is trying toit is trying toconcealconceal
Zero-knowledgeZero-knowledge
proofs of identitiesproofs of identities
in particular arein particular areproblematicproblematic
The GrandmasterThe Grandmaster
ProblemProblem
-
8/2/2019 Zero KnowledgeProofsII
16/17
ResearchResearch
I am currently working with Dr. CurtisI am currently working
with Dr. CurtisBarefoot in the NMT Mathematics Dept. onBarefoot in
the NMT Mathematics Dept. onmethods of applying
zero-knowledgemethods of applying zero-knowledge
proofs to mathematical induction: Can aproofs to mathematical
induction: Can aprover prove a theorem via inductionprover prove a
theorem via inductionwithout revealing any of the steps
beyondwithout revealing any of the steps beyondthe base case?the
base case?
Possible application of methods developedPossible application of
methods developedby Camenisch and Michels (or maybeby Camenisch and
Michels (or maybenot?)not?)
-
8/2/2019 Zero KnowledgeProofsII
17/17
ReferencesReferences
Blum, M., How to Prove a Theorem So No One Else Can Claim
It,Blum, M., How to Prove a Theorem So No One Else Can Claim
It,Proceedings of the International Congress of Mathematicians,
Berkeley,Proceedings of the International Congress of
Mathematicians, Berkeley,California, 1986, pp. 1444-1451California,
1986, pp. 1444-1451
Camenisch, J., M. Michels, Proving in Zero-Knowledge that a
Number is theCamenisch, J., M. Michels, Proving in Zero-Knowledge
that a Number is theProduct of Two Safe Primes, Eurocrypt 99, J.
Stern, ed., Lecture Notes inProduct of Two Safe Primes, Eurocrypt
99, J. Stern, ed., Lecture Notes inComputer Science 1592, pp.
107-122, Springer-Verlag 1999Computer Science 1592, pp. 107-122,
Springer-Verlag 1999
Cramer, R., I. Dmgard, B. Schoenmakers, Proofs of Partial Hiding
andCramer, R., I. Dmgard, B. Schoenmakers, Proofs of Partial Hiding
and
Simplified Design of Witness Hiding Protocols, Advances in
Cryptology Simplified Design of Witness Hiding Protocols, Advances
in Cryptology CRYPTO 94, Lecture Notes in Computer Science 839, pp.
174-187, Springer-CRYPTO 94, Lecture Notes in Computer Science 839,
pp. 174-187, Springer-Verlag, 1994Verlag, 1994
De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, On
Monotone FormulaDe Santis, A., G. di Crescenzo, G. Persiano, M.
Yung, On Monotone FormulaClosure of SZK, Proceedings of the
35Closure of SZK, Proceedings of the 35thth Symposium on the
Foundations ofSymposium on the Foundations ofComputer Science, pp.
454-465, IEEE, 1994Computer Science, pp. 454-465, IEEE, 1994
Feigenbaum, J., Overview of Interactive Proof Systems and
Zero-Feigenbaum, J., Overview of Interactive Proof Systems and
Zero-Knowledge, Contemporary Cryptology, G.J. Simmons, ed., pp.
423-440, IEEEKnowledge, Contemporary Cryptology, G.J. Simmons, ed.,
pp. 423-440, IEEE
Press 1992Press 1992 Quisquater, J.J., L. Guillou, T. Berson,
How to Explain Zero-KnowledgeQuisquater, J.J., L. Guillou, T.
Berson, How to Explain Zero-Knowledge
Protocols to Your Children, Advances in Cryptology - CRYPTO 99,
LectureProtocols to Your Children, Advances in Cryptology - CRYPTO
99, LectureNotes in Computer Science 435, pp. 628-631, 1990Notes in
Computer Science 435, pp. 628-631, 1990
Schneier, B., Applied Cryptography (2Schneier, B., Applied
Cryptography (2ndnd edition), Wiley, 1996edition), Wiley, 1996
Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995Stinson,
D.R., Cryptography: Theory and Practice, CRC, 1995
![F-ZERO FOR GAMEBOY ADVANCE€¦ · GAME BOY ADVANCE FOR GAME BOY . r F-ZERO FOR GAMEBOY ADVANCE] -î-L,E Zñ x x O x . FLZERO < F-ZERO *ZERO rF-ZERO *ZERO Prologue T 7-1žCl rF-ZERO](https://img.pdfslide.us/doc/110x75/5f266cebeb0d265fef10f129/f-zero-for-gameboy-advance-game-boy-advance-for-game-boy-r-f-zero-for-gameboy.jpg)
