1 / 34

Zero Knowledge Proofs of Identity

Zero Knowledge Proofs of Identity. Uriel Feige Amos Fiat Adi Shamir The Weizmann Institute of Science, Israel. A. S. M. Hasan Mahmud. How Do We Prove Our Knowledge. Alice: “I know the secret word to open a magic door in a cave. I will sell it to you”. Bob: “No, you don’t.”

hashim
Download Presentation

Zero Knowledge Proofs of Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero Knowledge Proofs of Identity UrielFeigeAmos FiatAdi Shamir The Weizmann Institute of Science, Israel A. S. M. Hasan Mahmud

  2. How Do We Prove Our Knowledge Alice: “I know the secret word to open a magic door in a cave. I will sell it to you”. Bob: “No, you don’t.” Alice: “Yes, I do.” Bob: “Do not!” Alice: “Do too!” Bob: “Prove it!” Alice: “All right. I’ll tell you.” She whispers in Bob’s ear. Bob: “That’s interesting. Now I know it, too. I will not pay you. I’m going to tell The Washington Post.”

  3. Zero Knowledge Proofs - ZKP • Alice knows a secret • Bob will pay for the secret but not until he is sure that she really knows it. • Alice wants to prove her knowledge to Bob but she doesn’t want to reveal the secret

  4. Interactive Zero Knowledge Proof • Informally, an interactive proof is a protocol between two parties • Prover, tries to prove a certain fact to the other party called the Verifier. • Interactive Zero Knowledge proof has 3 steps

  5. Zero Knowledge Proofs - Commitment • Alice and Bob label the left and right paths from the entrance as A and B • Bob waits outside • Alice randomly takes either path A or B

  6. Zero Knowledge Proofs - Challenge • Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random.

  7. Zero Knowledge Proofs - Response • If Alice is on side A she simply returns • If she was on side B, She opens the cave door with her magic word and comes through A

  8. ZKP - Cheating • What if Alice does not know the secret word ? • Bob chooses path A or B at random • 50% chance of cheating • To decrease the probability of cheating, Alice and Bob repeat this 3 steps t times • Probability of cheating is

  9. Properties of a ZKP • A ZKP must satisfy 3 property • completeness property • Given an honest prover and an honest verifier, the protocol succeeds with overwhelming probability • The verifier accepts the prover’sclaim. • soundness property • A dishonest provercannot convince an honest verifier except with some small probability

  10. Properties of a ZKP (cont’d) • zero-knowledge property • Proverdoes not release any information about the secret knowledge. • Participation in the protocol does not increase the chances of subsequent impersonation

  11. Quadratic Residues •  y is called a quadratic residue(QR) modulo n • If there exists an integer x such that x2= y mod n • x is called the square root mod n of y • Example: • mod 15: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 (residues in bold) • 72 = 22= 4 mod 15 • 92= 6 mod 15

  12. Quadratic Residuosity Problem • Given y, is there any x such that x2 = y mod n ? • This problem is HARDfor large n (1024 bit … ) • Equivalent to finding the prime factorization of n • if n = pq, where p and q are primes, then its easy to determine

  13. SendY1 … Ykand X1 ... Xk Alice 3 Bob ZKP – Prime Factorization • Alice claims that she knows prime factorization of a large number n • How can she prove it to Bob 1 2 4 Alice generates Random number Y1 .. Yk Computes Xi such that Xi2= Yi mod n Bob checks whether Xi2= Yi mod n Should Bob be convinced ? No, Alice can cheat. Alice can generate Xi first then compute Yi

  14. SendY1 … Yk to Alice • SendX1 ... Xkto Bob Alice 2 4 Bob ZKP – Prime Factorization (Cont’d) 3 1 5 Computes Xi such that Xi2= Yi mod n Generates Random number Y1 .. Yk Bob checks whether Xi2= Yi mod n Should Bob be convinced ? Yes, But Bob can cheat

  15. SendY1 … Yk to Alice • SendX1 ... Xkto Bob Alice 2 4 Bob ZKP – Prime Factorization (Cont’d) 3 1 5 Generates Random number R1 ... Rkand computes Y1.. Yksuch that Ri2= Yi mod n. Depending on whether Ri == Xi Bob can find out the prime factorization of n (with a very high probability), i.e. prime number p and q such that n=pq Computes Xi such that Xi2= Yi mod n

  16. Send h(X1) ... h(Xk) • h is a one way function (Hash) • Send Y1 … Yk to Alice Alice 2 4 Bob ZKP – Prime Factorization (Cont’d) 3 1 5 Generates Random number R1 ... Rkand computes Y1.. Yksuch that Ri2= Yi mod n. Computes Xi such that Xi2= Yi mod n Checks whether h(Ri) == h(Xi)

  17. ZKP- Quadratic Residue • Alice claims to know S, a square root mod n of y • S2= Y mod n • She wants to prove her knowledge to Bob using ZKP • She does not want to reveal S • Both Y and n are known to Bob and Alice

  18. SendX1 and X2 to Bob • Square root mod n of X1 ? • Sends R1 Alice 6 7 3 Bob ZKP – Quadratic Residue(Cont’d) 5 Randomly picks either X1 or X2and asks Alice to supply a square root of it. Let’s say Bob picked X1 1 Chooses a random number R1 such that R1* R2 = S and gcd(R1, n) = gcd(R2, n) =1 2 8 4 Checks whether X1* X2 == Y Checks whetherX1= R12 mod n? Computes X1 = R12 mod n X2= R22mod n Note: S2= Y= (R1* R2)2= X1* X2 mod n Bob can not ask square root mod n of both X1and X2. Why ? Alice can Cheat

  19. Sends R1 • SendX1 and X2 to Bob • Square root mod n of X1 ? Alice 6 3 7 Bob ZKP – Quadratic Residue(Cont’d) 5 Randomly picks either X1 or X2and asks Alice to supply a square root of it. Let’s say Bob picked X1 8 2 1 4 Checks whether X1* X2 == Y Checks whetherX1= R12mod n ? Finds another value X2such that, X1* X2 ==Y Note: Finding R2 such that X2= R22mod n is hard. Alice does not know S Chooses a random number R1and Computes X1 = R12 mod n But if bob picked X2, Alice will not be able to deliver R2, 50% chance

  20. ZKP – Quadratic Residue(Cont’d) • Alice and Bob repeat this protocol ttimes • Probability that Alice is cheating is • This protocol is the basic building block of Feige-Fiat-Shamir’s Zero Knowledge Proof of Identification scheme

  21. A Real Case Study • Someone set up a fake automatic teller machine at a shopping mall. • When a person inserted a bank card, the machine recorded the information • Responded with the message that it could not accept the card. • The thieves then made counterfeit bank cards and went to legitimate teller machines and withdrew cash. • Smart cards are getting popular • How to prevent identity theft?

  22. Zero Knowledge Proof of Identity • Alice has an identity • She wants to identify herself to Bob • She does not want to reveal her identity • Instead of giving her identity to Bob, she will prove that she knows her identity

  23. Fun Fact About This Paper!! • Best known zero knowledge proof of identity • On 1986, they submitted a US patent application • Potential military and commercial application • Patent office respond with a “secrecy order” • Disclosure of this material is dangerous to national security. • Otherwise, 2 years imprisonment or $10K fine or both • Criticism from academic community and press • Removed the secrecy order later

  24. I={I1, … Ik } Trent T (KDC) Alice 4 Feige-Fiat-Shamir’s identification scheme 1 2 3 5 Publishes n = pq , where p and q are two large prime number (512 bit). Keeps p and q secret. Publishes I1, … Ik Chooses k random number S1, … Skin Zn. This numbers are her identity. gcd(Si, n) =1 Computes I1, … Iksuch that, Alice keeps S1, … Sksecret

  25. Y • SendXto Bob • E (= E1… Ek) Alice 4 2 6 Bob Feige-Fiat-Shamir’s identification scheme(cont’d) 7 Checks whether 5 1 3 0 Computes Prepares a k bit random Boolean vector E (= E1… Ek) , Ej= 0 or 1 Chooses a random number Rand Computes X = ± R2mod n S = {S1, … Sk} – Identity I = {I1, … Ik } Note:

  26. I = {4,11,16} Trent T (KDC) Alice 4 Example 1 2 3 5 Publishes n = 35 = 5*7 Publishes I = {4,11,16} 35 I= {4, 11, 16} Chooses S={3,4,9} as her secret key/identity. K = 3 .

  27. Y = 17 • X=11 • E=6 (110) Alice 4 2 6 Bob Example(cont’d) 7 Checks whether = 172 × 4 × 11 mod 35 = 11 == X 5 1 3 0 Prepares a 3 bit random Boolean vector E = 6 (110) Chooses a random number R=16and Computes X = 162mod 35 =11 S = {3,4,9} - Identity I = {4,11,16} Computes = (16 × 3 × 4 ) mod 35 = 17

  28. X=14 • E=6 (010) • Y = 7 Alice 4 6 2 Bob Alice Can Cheat !!! 1 7 Computes X for any Random Y=7 = 72 × 11 mod 35 = 14 Checks whether = 72 × 11 mod 35 = 14 == X 3 0 Prepares a 3 bit random Boolean vector E = 2 (010) S = {3,4,9} - Identity I = {4,11,16} E = 2 = (010) – Correct guess

  29. Security • Alice can still cheat • If she can correctly guess E of step 4 • Can compute the X for any random Y at step 7 before the start of the protocol. • Does not need to know secret keys • Probability of correct guessing 2-k (since, |E|=k) • Bob repeats the protocol t times • Probability of cheating is 2-kt

  30. Security (cont’d) • Security relies on the difficulty of finding the square root mod of a large composite number n=pq. • This Protocol, relative to a trusted center, is sound and zero knowledge proof of knowledge provided that k= O(log log n) and t=O(log n) • For n=21024, k=10 and t=1024 • Limited computational power required for an honest prover and verifier

  31. Parallel version • Each of the step contains data for all t rounds simultaneously. • Security properties are same as the sequential version

  32. Real World • Smart Card issuer generates S = {S1, … Sk} andI = {I1, … Ik} using a large composite n = pq • Keeps p and q secret • Publishes n andI = {I1, … Ik } • Embeds S = {S1, … Sk} and other information into the card

  33. Real World (cont’d) • A microprocessor with limited computational power is embedded on the card • No one can read S = {S1, … Sk} directly • Only microprocessor can access them for computation • Card is built using some tamper free technology

  34. Questions ?

More Related