Zero Knowledge Proofs

Matthew Pouliotte

Anthony Pringle

Cryptography

November 22, 2005

“A proof is whatever convinces me.”-~ Shimon Even

Presentation Overview

What is a Zero Knowledge Proof?Introduction to Interactive ProofsDefinition Zero Knowledge ProofsProperties of Zero Knowledge ProofsApplications of Zero Knowledge Proofs

Feige-Fiat-Shamir Proof of Identity Schnorr’s Identification Protocol

Conclusion

What is a Zero Knowledge Proof?

Classic Example: Ali Baba’s Cave

Alice wants to prove to bob that she knows how to open the secret door between R and S. Bob goes to P Alice goes to R or S Bob goes to Q and tells Alice

to come from one side or the other of the cave

If Alice knows the secret, she can appear from the correct side of the cave every time

Bob repeats as many times until he believe Alice knows to open the secret doorImage from RSA Labs [1]

http://www.rsasecurity.com/rsalabs/node.asp?id=2178

Introduction to Interactive Proofs

Prover (P) tries to prove some fact to a verifier Verifier (V) either accepts or rejects the

prover’s proof To prove is to convince the verifier of some

assertion Prove that you know a secret value s

Each party in the protocol does the following:1. receive a message from the other party2. perform a private computation3. send a message to the other party

Repeats t number of rounds

Interactive Proof Protocol

Prover and verifier share common inputs (functions or values) The protocol yields Accept if every Response is accepted by the

Verifier Otherwise, the protocol yields Reject

P

Prover

V

Verifier

Random Value

Challenge

ResponseRepeats tnumber

of rounds

CommonInputs

CommonInputs

Properties of Interactive Proofs

Completeness The verifier accepts the proof if the assertion is

true Assumption: the parties follow the protocol

Soundness if the fact is false, the verifier rejects the proof Assumption: the parties follow the protocol

Interactive Proofs – Soundness and Completeness Completeness:

Prob[(P,V)(x) = Accept | x L] ≥ ε

Soundness:

Prob[(¬P,V)(x) = Accept | x L] ≤ δ

Where:

ε (½,1] δ [0,½)

L is a language over {0,1}*

(P,V) is an Interactive Proof Protocol involving P and V

Zero Knowledge Proofs

Instances of interactive proofs with the following properties: Completeness – true theorems are provable Soundness – false theorems are not provable No information about the prover’s private input

is revealed to the verifier – implication of the zero-knowledge property

Zero Knowledge Property

A transcript is the collection of messages resulting from the protocol execution

Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem

A simulator is a polynomial-time algorithm that generates false transcripts (without the prover) which are identical to the genuine.

Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem

An interactive proof has the zero knowledge property if a simulator exists for the proof

Identification Schemes

Provide a way to demonstrate who you are Show you know a secret value without revealing

it Feige-Fiat-Shamir Proof of Identity Schnorr’s Identification Protocol

The zero knowledge premise is used in all PKIs You do not reveal your private key Most PKIs are single round though

Feige-Fiat-Shamir Proof of Identity

A trusted certifier publishes a modulus n which is the product of two large primes Primes of the form 4r+3 (Blum integers) Only purpose of trusted certifier

Where Ā is the prover and B is the verifier

Feige-Fiat-Shamir Proof of Identity

For Ā to prove its identity to B, the following protocol is executed

Schnorr’s Identification Protocol

Two primes p and q such that q|p-1 Usually |p| = 1024 and |q| = 160

A g such that orderp(g) = q

A y such that y = g-a (mod p) Alice chooses a such that a < q

Alice’s public-key (p, q, q, y) which is certified by a CA

Schnorr’s Identification Protocol

Bob knows Alice knows some aq such that y ≡ g-a (mod p)

To prove this to Bob, the following steps are repeated log2log2p times

1. Alice picks k uq and computs gk (mod p) that she sends to Bob

2. Bob pick x u {0,1}log2log

2p and sends to Alice

3. Alice computes y = k + ax (mod q)

4. Bob checks gk (mod p) ≡ gxgy

Conclusions

Special case of interactive proofsZero knowledge proofs offer a way to

prove knowledge to someone without transferring any additional knowledge to that person Can be used to prove identity Basic premise used in all PKIs

References

O. Goldreich. Foundations of Cryptography: Basic Tools. USA: Cambridge Press, 2001.

D. R. Stinson. Cryptography: Theory and Practice (1st edition). Boca Raton: CRC Press, 1995.

W. Mao. Modern Cryptography: Theory and Practice. New Jersey: Prentice Hall, 2003.

A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC Press, 1996.

L. Guillou, and J.J. Quisquater. “How to Explain Zero-Knowledge Protocols to Your Children”. Advances in Cryptology, CRYPTO 1989.

G. Simari. “A Primer on Zero Knowledge Protocols”. http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf

M. Tompa. “Zero knowledge interactive proofs of knowledge (a digest)”. Proceedings of the 2nd conference on Theoretical aspects of reasoning about knowledge, 1988.

U. Feige, A. Fiat, and A. Shamir. “Zero-knowledge proofs of identity”. ACM Special Interest Group on Algorithms and Computation Theory (SIGACT), 1987.

RSA Laboratories, “What are interactive proofs and zero-knowledge proofs?” http://www.rsasecurity.com/rsalabs/node.asp?id=2178

- Questions???

“Knowledge must come through action; you can have no test which is not fanciful, save by trial.”

-~ Sophocles