Zero-Knowledge Zero-Knowledge ProofsProofs

J.W. PopeJ.W. Pope

M.S. – MathematicsM.S. – Mathematics

May 2004May 2004

What is a Zero- Knowledge What is a Zero- Knowledge Proof?Proof?

A zero-knowledge proof is a way that a A zero-knowledge proof is a way that a “prover” can prove possession of a “prover” can prove possession of a certain piece of information to a “verifier” certain piece of information to a “verifier” without revealing it.without revealing it.

This is done by manipulating data provided This is done by manipulating data provided by the verifier in a way that would be by the verifier in a way that would be impossible without the secret information impossible without the secret information in question.in question.

A third party, reviewing the transcript A third party, reviewing the transcript created, cannot be convinced that either created, cannot be convinced that either prover or verifier knows the secret.prover or verifier knows the secret.

The Cave of the Forty The Cave of the Forty ThievesThieves

The Cave of the Forty The Cave of the Forty ThievesThieves

Properties of Zero-Properties of Zero-Knowledge ProofsKnowledge Proofs

Completeness – A prover who knows Completeness – A prover who knows the secret information can prove it the secret information can prove it with probability 1.with probability 1.

Soundness – The probability that a Soundness – The probability that a prover who does not know the secret prover who does not know the secret information can get away with it can information can get away with it can be made arbitrarily small.be made arbitrarily small.

An Example: Hamiltonian An Example: Hamiltonian CyclesCycles

Peggy the prover would like to Peggy the prover would like to show Vic the verifier that an show Vic the verifier that an element element is a member of the is a member of the subgroup of Zsubgroup of Znn

** generated by generated by , , where where has order has order . (i.e., does . (i.e., does kk = = for some k such that 0 ≤ k ≤ for some k such that 0 ≤ k ≤ ?)?)

Peggy chooses a random j, 0 ≤ j Peggy chooses a random j, 0 ≤ j ≤ ≤ – 1, and sends Vic – 1, and sends Vic jj..

Vic chooses a random i = 0 or 1, Vic chooses a random i = 0 or 1, and sends it to Peggy.and sends it to Peggy.

Peggy computes j + ik mod Peggy computes j + ik mod , and , and sends it to Vic.sends it to Vic.

Vic checks that Vic checks that j + ikj + ik = = jjikik = = jjii.. They then repeat the above steps They then repeat the above steps

loglog22n times.n times. If Vic’s final computation checks If Vic’s final computation checks

out in each round, he accepts the out in each round, he accepts the proof.proof.

Complexity TheoryComplexity Theory

The last proof works because the The last proof works because the problem of solving discrete problem of solving discrete logarithms is NP-complete (or is logarithms is NP-complete (or is believed to be, at any rate).believed to be, at any rate).

It has been shown that all problems It has been shown that all problems in NP have a zero-knowledge proof in NP have a zero-knowledge proof associated with them.associated with them.

Bit CommitmentsBit Commitments

““Flipping a coin down a well”Flipping a coin down a well” ““Flipping a coin by telephone”Flipping a coin by telephone” A value of 0 or 1 is committed to by A value of 0 or 1 is committed to by

the prover by encrypting it with a the prover by encrypting it with a one-way function, creating a “blob”. one-way function, creating a “blob”. The verifier can then “unwrap” this The verifier can then “unwrap” this blob when it becomes necessary by blob when it becomes necessary by revealing the key.revealing the key.

Bit Commitment Bit Commitment PropertiesProperties

Concealing – The verifier cannot Concealing – The verifier cannot determine the value of the bit from determine the value of the bit from the blob.the blob.

Binding – The prover cannot open Binding – The prover cannot open the blob as both a zero and a one.the blob as both a zero and a one.

Bit Commitments: An Bit Commitments: An ExampleExample

Let n = pq, where p and q are prime. Let m be a Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy.public, and the values p and q are known only to Peggy.

Peggy commits to the bit b by choosing a random x and Peggy commits to the bit b by choosing a random x and sending Vic the blob msending Vic the blob mbbxx22..

When the time comes for Vic to check the value of the When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x.bit, Peggy simply reveals the values b and x.

Since no known polynomial-time algorithm exists for Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this composite n whose factors are unknown, hence this scheme is computationally concealing.scheme is computationally concealing.

On the other hand, it is perfectly binding, since if it On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a wasn’t, m would have to be a quadratic residue, a contradiction.contradiction.

Bit Commitments and Zero-Bit Commitments and Zero-KnowledgeKnowledge

Bit commitments are used in zero-Bit commitments are used in zero-knowledge proofs to encode the secret knowledge proofs to encode the secret information.information.

For example, zero-knowledge proofs For example, zero-knowledge proofs based on graph colorations exist. In this based on graph colorations exist. In this case, bit commitment schemes are used case, bit commitment schemes are used to encode the colors.to encode the colors.

Complex zero-knowledge proofs with Complex zero-knowledge proofs with large numbers of intermediate steps large numbers of intermediate steps that must be verified also use bit that must be verified also use bit commitment schemes.commitment schemes.

Computational Computational AssumptionsAssumptions

A zero-knowledge proof assumes the A zero-knowledge proof assumes the prover possesses unlimited prover possesses unlimited computational power.computational power.

It is more practical in some cases to It is more practical in some cases to assume that the prover’s assume that the prover’s computational abilities are bounded. computational abilities are bounded. In this case, we have a zero-In this case, we have a zero-knowledge argument.knowledge argument.

Proof vs. ArgumentProof vs. Argument

Zero-Knowledge Proof:Zero-Knowledge Proof: Unconditional Unconditional

completenesscompleteness Unconditional Unconditional

soundnesssoundness Computational zero-Computational zero-

knowledgeknowledge Unconditionally Unconditionally

binding blobsbinding blobs Computationally Computationally

concealing blobsconcealing blobs

Zero-Knowledge Zero-Knowledge Argument:Argument:

Unconditional Unconditional completenesscompleteness

Computational Computational soundnesssoundness

Perfect zero-Perfect zero-knowledgeknowledge

Computationally Computationally binding blobsbinding blobs

Unconditionally Unconditionally concealing blobsconcealing blobs

ApplicationsApplications

Zero-knowledge proofs can be Zero-knowledge proofs can be applied where secret knowledge too applied where secret knowledge too sensitive to reveal needs to be sensitive to reveal needs to be verifiedverified

Key authenticationKey authentication PIN numbersPIN numbers Smart cardsSmart cards

LimitationsLimitations A zero-knowledge A zero-knowledge

proof is only as good as proof is only as good as the secret it is trying to the secret it is trying to concealconceal

Zero-knowledge proofs Zero-knowledge proofs of identities in of identities in particular are particular are problematicproblematic

The Grandmaster The Grandmaster ProblemProblem

The Mafia ProblemThe Mafia Problem etc.etc.

ResearchResearch

I am currently working with Dr. Curtis I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge on methods of applying zero-knowledge proofs to mathematical induction: Can a proofs to mathematical induction: Can a prover prove a theorem via induction prover prove a theorem via induction without revealing any of the steps beyond without revealing any of the steps beyond the base case?the base case?

Possible application of methods developed Possible application of methods developed by Camenisch and Michels (or maybe by Camenisch and Michels (or maybe not?)not?)

ReferencesReferences Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Blum, M., “How to Prove a Theorem So No One Else Can Claim It”,

Proceedings of the International Congress of Mathematicians, Berkeley, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451California, 1986, pp. 1444-1451

Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999

Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994Springer-Verlag, 1994

De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35Formula Closure of SZK”, Proceedings of the 35thth Symposium on the Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994Foundations of Computer Science, pp. 454-465, IEEE, 1994

Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992IEEE Press 1992

Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990Lecture Notes in Computer Science 435, pp. 628-631, 1990

Schneier, B., Applied Cryptography (2Schneier, B., Applied Cryptography (2ndnd edition), Wiley, 1996 edition), Wiley, 1996 Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995