Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is...
-
Upload
christian-moody -
Category
Documents
-
view
216 -
download
0
Transcript of Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is...
Zero Knowledge Proofs
Matthew Pouliotte
Anthony Pringle
Cryptography
November 22, 2005
“A proof is whatever convinces me.”-~ Shimon Even
Presentation Overview
What is a Zero Knowledge Proof?Introduction to Interactive ProofsDefinition Zero Knowledge ProofsProperties of Zero Knowledge ProofsApplications of Zero Knowledge Proofs
Feige-Fiat-Shamir Proof of Identity Schnorr’s Identification Protocol
Conclusion
What is a Zero Knowledge Proof?
Classic Example: Ali Baba’s Cave
Alice wants to prove to bob that she knows how to open the secret door between R and S. Bob goes to P Alice goes to R or S Bob goes to Q and tells Alice
to come from one side or the other of the cave
If Alice knows the secret, she can appear from the correct side of the cave every time
Bob repeats as many times until he believe Alice knows to open the secret doorImage from RSA Labs [1]
http://www.rsasecurity.com/rsalabs/node.asp?id=2178
Introduction to Interactive Proofs
Prover (P) tries to prove some fact to a verifier Verifier (V) either accepts or rejects the
prover’s proof To prove is to convince the verifier of some
assertion Prove that you know a secret value s
Each party in the protocol does the following:1. receive a message from the other party2. perform a private computation3. send a message to the other party
Repeats t number of rounds
Interactive Proof Protocol
Prover and verifier share common inputs (functions or values) The protocol yields Accept if every Response is accepted by the
Verifier Otherwise, the protocol yields Reject
P
Prover
V
Verifier
Random Value
Challenge
ResponseRepeats tnumber
of rounds
CommonInputs
CommonInputs
Properties of Interactive Proofs
Completeness The verifier accepts the proof if the assertion is
true Assumption: the parties follow the protocol
Soundness if the fact is false, the verifier rejects the proof Assumption: the parties follow the protocol
Interactive Proofs – Soundness and Completeness Completeness:
Prob[(P,V)(x) = Accept | x L] ≥ ε
Soundness:
Prob[(¬P,V)(x) = Accept | x L] ≤ δ
Where:
ε (½,1] δ [0,½)
L is a language over {0,1}*
(P,V) is an Interactive Proof Protocol involving P and V
Zero Knowledge Proofs
Instances of interactive proofs with the following properties: Completeness – true theorems are provable Soundness – false theorems are not provable No information about the prover’s private input
is revealed to the verifier – implication of the zero-knowledge property
Zero Knowledge Property
A transcript is the collection of messages resulting from the protocol execution
Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem
A simulator is a polynomial-time algorithm that generates false transcripts (without the prover) which are identical to the genuine.
Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem
An interactive proof has the zero knowledge property if a simulator exists for the proof
Identification Schemes
Provide a way to demonstrate who you are Show you know a secret value without revealing
it Feige-Fiat-Shamir Proof of Identity Schnorr’s Identification Protocol
The zero knowledge premise is used in all PKIs You do not reveal your private key Most PKIs are single round though
Feige-Fiat-Shamir Proof of Identity
A trusted certifier publishes a modulus n which is the product of two large primes Primes of the form 4r+3 (Blum integers) Only purpose of trusted certifier
Where Ā is the prover and B is the verifier
Feige-Fiat-Shamir Proof of Identity
For Ā to prove its identity to B, the following protocol is executed
Schnorr’s Identification Protocol
Two primes p and q such that q|p-1 Usually |p| = 1024 and |q| = 160
A g such that orderp(g) = q
A y such that y = g-a (mod p) Alice chooses a such that a < q
Alice’s public-key (p, q, q, y) which is certified by a CA
Schnorr’s Identification Protocol
Bob knows Alice knows some aq such that y ≡ g-a (mod p)
To prove this to Bob, the following steps are repeated log2log2p times
1. Alice picks k uq and computs gk (mod p) that she sends to Bob
2. Bob pick x u {0,1}log2log
2p and sends to Alice
3. Alice computes y = k + ax (mod q)
4. Bob checks gk (mod p) ≡ gxgy
Conclusions
Special case of interactive proofsZero knowledge proofs offer a way to
prove knowledge to someone without transferring any additional knowledge to that person Can be used to prove identity Basic premise used in all PKIs
References
O. Goldreich. Foundations of Cryptography: Basic Tools. USA: Cambridge Press, 2001.
D. R. Stinson. Cryptography: Theory and Practice (1st edition). Boca Raton: CRC Press, 1995.
W. Mao. Modern Cryptography: Theory and Practice. New Jersey: Prentice Hall, 2003.
A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC Press, 1996.
L. Guillou, and J.J. Quisquater. “How to Explain Zero-Knowledge Protocols to Your Children”. Advances in Cryptology, CRYPTO 1989.
G. Simari. “A Primer on Zero Knowledge Protocols”. http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf
M. Tompa. “Zero knowledge interactive proofs of knowledge (a digest)”. Proceedings of the 2nd conference on Theoretical aspects of reasoning about knowledge, 1988.
U. Feige, A. Fiat, and A. Shamir. “Zero-knowledge proofs of identity”. ACM Special Interest Group on Algorithms and Computation Theory (SIGACT), 1987.
RSA Laboratories, “What are interactive proofs and zero-knowledge proofs?” http://www.rsasecurity.com/rsalabs/node.asp?id=2178
- Questions???
“Knowledge must come through action; you can have no test which is not fanciful, save by trial.”
-~ Sophocles