1 / 42

Comparative Study on Zero-Knowledge Identification Protocols

Discrete Mathematics-Term Project Final Presentation, Lectured by: Prof. Kwangjo Kim. Comparative Study on Zero-Knowledge Identification Protocols. Konidala M. Divyan International Research Center for Information Security Director: Prof. Kwangjo Kim. Introduction. Identification

hester
Download Presentation

Comparative Study on Zero-Knowledge Identification Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discrete Mathematics-Term Project Final Presentation, Lectured by: Prof. Kwangjo Kim Comparative Study on Zero-Knowledge Identification Protocols Konidala M. Divyan International Research Center for Information Security Director: Prof. Kwangjo Kim

  2. Introduction • Identification • Allows one party (the verifier) to gain assurances, that the identity of another (the prover) is as declared, thereby preventing impersonation. • Methods of Identification • Passwords (Weak Authentication) • Challenge-response identification (Strong Authentication) • Symmetric-Key Techniques • Public-Key Techniques • Zero-Knowledge Identification Protocols Comparative Study on Zero-Knowledge Identification Protocols

  3. Introduction • Zero-knowledge Identification Protocols • Based on, Interactive Proof Systems and Zero-Knowledge Proofs • Use random numbers as challenges and as commitmentsto prevent cheating • Do not rely on digital signatures or public-key encryption, block ciphers, sequence numbers, and timestamps. Comparative Study on Zero-Knowledge Identification Protocols

  4. Discrete Mathematics Vs My Term Project • Projects one of the practical uses of Discrete Mathematics in the field of Information Security • My topic is strongly based on the following Discrete Mathematics concepts • Logic, Sets, and Functions • Algorithms (Their Analysis), the Integers, and Matrices • Counting, Relations • Graphs Comparative Study on Zero-Knowledge Identification Protocols

  5. My Term Project Vs My Major • My Major • Cryptology and Information Security • Advising Prof: Prof. Kwangjo Kim • Earlier concentrated only on the “zero-knowledge interactive proofs” based on • Integer Factorization Problem (RSA) • Fiat-Shamir Identification Protocol • Feige-Fiat-Shamir Identification Protocol • Guillou-Quisquater (GQ) identification Protocol • Discrete Logarithmic Problem • Schnorr Identification Protocol Comparative Study on Zero-Knowledge Identification Protocols

  6. My Term Project Vs My Major • Through this term project, I could concentrate on the “zero-knowledge interactive proofs” based on • Graph Problems • Hamiltonian cycles of large graphs • Graph Isomorphism • Graph Coloring Comparative Study on Zero-Knowledge Identification Protocols

  7. My Term Project Vs My Major • Study on these zero-knowledge interactive proofs helped me in analyzing their importance in my M.S. degree research topic “Security in Pervasive Computing” • Cause they involve very few computations when compared to other Symmetric Key and PKI protocols • Very useful for light weight devices used in pervasive environments Comparative Study on Zero-Knowledge Identification Protocols

  8. Goal of Term Project • Compare the following Zero-Knowledge Identification Protocols based on • Integer Factorization Problem (like RSA) • Feige-Fiat-Shamir Identification Protocol • Guillou-Quisquater (GQ) identification Protocol • Discrete Logarithmic Problem • Schnorr Identification Protocol • Graph Problems • Hamiltonian cycles of large graphs • Graph Isomorphism • Graph Coloring Comparative Study on Zero-Knowledge Identification Protocols

  9. Goal of Term Project • Comparison Criteria • Communications • Computations • Memory • Security Guarantees • Trust required in third party Comparative Study on Zero-Knowledge Identification Protocols

  10. Overview of Zero-Knowledge Concepts • A prover demonstrates knowledge of a secret while revealing no information whatsoever of use to the verifier in conveying this demonstration of knowledge to others. • ZK Protocols are instances of • interactive proof systems, • Prover and verifier exchange multiple messages (challenges and responses) • Proofs are probabilisticrather than absolute; need be correct only with bounded probability, Comparative Study on Zero-Knowledge Identification Protocols

  11. Overview of Zero-Knowledge Concepts • Proofs of knowledge • Interactive proofs used for identification • Apossesses some secrets, and attempts to convince Bit has knowledge of sby correctly responding to queries which require knowledge of sto answer. • Should satisfy “Completeness” and “Soundness” properties • Zero-knowledge property • there exists an expected polynomial-time algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover (Simulatable) Comparative Study on Zero-Knowledge Identification Protocols

  12. Zero-knowledge vs. other asymmetric protocols • No degradation with usage • Resist chosen-text attacks • Encryption avoided • Efficient • Unproven assumptions • many ZK protocols (“proofs of knowledge”) themselves rely on the same unproven assumptions as PK techniques Comparative Study on Zero-Knowledge Identification Protocols

  13. General Structure of ZK Protocols • A B : witness • A  B : challenge • A B : response • Combination of • cut-and-chooseprotocols and challenge-response protocols Comparative Study on Zero-Knowledge Identification Protocols

  14. Modes of Operations • Interactive • where prover and verifier interactively go through the protocol, building up the certainty piece by piece. • Parallel • where prover creates a number of problems and verifier asks for a number of solutions at a time. This can be used to bring down the number of interactive messages with a slow-response-time connection. • Off line • where prover creates a number of problems, and then uses a cryptographically strong one-way hash function on the data and the set of problems to play the role of verifier, to select a random solution wanted for each problem. He then appends these solutions to the message. This mode can be used for digital signatures Comparative Study on Zero-Knowledge Identification Protocols

  15. ZK Proof based on Integer Factorization Problem • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Feige-Fiat-Shamir Identification Protocol (1998) • 1. One-time setup. • (a) Selection of system parameters: • A trusted center T selects and publishes an RSA-like modulus n = pq but keeps primes p and q secret. • (b) Selection of pre-entity secrets: • Each prover A selects a secret s1,s2,..sk 1 ≤ sk ≤ n - 1, and k random bits b1,…bk compute vi=(-1)bi (si2)-1mod n, 1 ≤ i ≤ k and registers (v1 … vk, n) with T as its public key. Comparative Study on Zero-Knowledge Identification Protocols

  16. Feige-Fiat-Shamir Identification Protocol • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • 2.Protocol Actions • a)A choose integer r, bit b, compute x=(-1)b r2mod n, sends x (the witness) to B • b)B sends to A challenge a random k-bit vector (e1,e2,...ek) • c)A compute y=rkj=1sjejmod n and send y to B (the response) • d)B compute z=y2kj=vjejmod n. verifies z=  x and z  0 Comparative Study on Zero-Knowledge Identification Protocols

  17. Example of Feige-Fiat-Shamir Identification Protocol • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • 1. The trusted center T selects the primes p = 683, q = 811, and publishes n = pq = 553913. Integers k = 3 and t = 1 are defined as security parameters. • 2. Entity A does the following. • (a) Selects 3 random integers s1=157, s2= 43215, s3 = 4646, and 3 bits b1 = 1, b2 = 0, b3 = 1. • (b) Computes v1 = 441845, v2 = 338402, and v3 = 124423. • (c) A’s public key is (441845, 338402, 124423, 553913) and private key is (157, 43215, 4646). • 3. Protocol Actions • (a) A chooses r = 1279, b = 1, computes x = 25898, and sends this to B. • (b) B sends to A the 3-bit vector (0, 0, 1). • (c) A computes and sends to B y = r. s3 mod n = 403104. • (d) B computes z = y2v3 mod n = 25898 and accepts A’s identity since z = +x and z  0. Comparative Study on Zero-Knowledge Identification Protocols

  18. Guillou-Quisquater (GQ) Identification Protocol (1988) • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • System Parameters • Private: p, q, s=v-1 mod (n) • n=pq, v >2 • User Parameters • The secret of A with JA=f(IA) is JA-s mod n • Protocol Messages (Repeat t times) • A sends to B(Commit): IA, x=rv mod n for a random r • B sends to A(Challenge): a random e with 1=<e=<v • A sends to B(Response): y=r sAe mod n • Verify • B computes z=JAeyv mod n • Accept A’s proof of identity if z = x and z  0 Comparative Study on Zero-Knowledge Identification Protocols

  19. ZK Proof based on Discrete Logarithmic Problem • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Schnorr Identification Protocol (1990) • System Parameters • Primes p and q with q|p-1 • h=g(p-1)/q mod p has order q (g is a generator of GF(p)) • Verification public key for the signature ST(m), a parameter t • User Parameters • A chooses a private key a and computes the public key v=h-a • A transfers v to T and obtains certA=(IA,v,ST(IA,v)) Comparative Study on Zero-Knowledge Identification Protocols

  20. Schnorr Identification Protocol • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Protocol Messages (Repeat t times) • A sends to B(Commit): certA, x=hr mod p for a random r • B authenticates A’s public key and sends to A(Challenge): a random e with 1=<e=<2t <q • A sends to B(Response): y=ae+r mod q • Verify • B computes z=hyve mod p • Accept A’s proof of identity if z=x Comparative Study on Zero-Knowledge Identification Protocols

  21. ZK Proof based on Graph Problem • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Graph-Isomorphism • A pair of two graphs, Where • Lets  be an isomorphism between the input graphs, namely  is 1-1 and onto mapping of the vertex set V1 to the vertex set V2 so that

  22. Graph Isomorphism • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Prover’s first step(A1): Select random permutation  over V1, construct the set , and send to the verifier. • Verifier’s first step (B1): B gets H from P. V select and send it to P. P is supposed to answer with an isomorphism between and G

  23. Graph Isomorphism • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • (A2): If =1, then send  =  to B. Otherwise send  =  -1 to B. • (B2): If  is an isomorphism between G and H then B output 1, otherwise it outputs 0.

  24. Graph Isomorphism (Flow) Prover Verifier =Random Permutation H  G1 R{1,2} H If=1, send  =  otherwise  =  -1  Accept iff H = (G) 

  25. 3 2 4 G2 4 5 5 1 G1 2 1 3 Graph Isomorphism example Common input: two graphs G1 and G2.  • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles Only P knows. Comparative Study on Zero-Knowledge Identification Protocols

  26. Graph Isomorphism example   =  -1 B sends =2 to A. 3 2 G2 4 2 5 5 4 1 G1 1 5 3 H 2 1 3 4 A sends Hto B. B gets  and accepts. Only P knows. Comparative Study on Zero-Knowledge Identification Protocols

  27. Graph 3 Coloring • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles 1 1 • Common Input: A graph 2 2 • P can paint the graph in 3 colors. 3 4 3 4 • P must keep the coloring a secret. 5 5 Comparative Study on Zero-Knowledge Identification Protocols

  28. 5 4 3 2 1 Graph 3 Coloring • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • P chooses a random color permutation. 1 1 2 2 3 3 4 4 • He puts all the nodes inside envelopes. 5 5 • And sends them to the verifier.

  29. 1 2 3 4 5 1 2 3 4 5 Graph 3 Coloring • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Verifier receives a 3-colored graph, but colors are hidden. • He chooses an edge at random. • And asks the prover to open the 2 envelopes.

  30. 1 2 3 Graph 3 Coloring • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Prover opens the envelopes, revealing the colors. 1 2 • Verifier accepts if the colors are different. 3 4 5

  31. Graph 3 Coloring • G = (V,E) is 3-colorable if there exists a mapping for every . • Let  be a 3-coloring of G, and let  be a permutation over {1,2,3} chosen randomly. • Define a random 3-coloring. • Put each (v) in a box with v marked on it. • Send all the boxes to the verifier. • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles Comparative Study on Zero-Knowledge Identification Protocols

  32. Graph 3 Coloring • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Verifier selects an edge at random asking to inspect the colors. • Prover sends the keys to boxes u and v. • Verifier uses the keys to open the boxes. • If he finds 2 different colors from {1,2,3} - Accept. • Otherwise - Reject. Comparative Study on Zero-Knowledge Identification Protocols

  33. Keyu , keyv P V Graph 3 Coloring(Flow) 1 2 n (1) (2) (n) P V P V

  34. Hamiltonian Cycles • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • Similar to Graph Isomorphism ZK Identification Protocol • The Hamiltonian cycle for a graph is a path through the graph that passes every node exactly once. • For an extremely large graph, this is very hard (hard enough) to calculate. • The prover's secret is the Hamiltonian cycle of a graph. Comparative Study on Zero-Knowledge Identification Protocols

  35. Hamiltonian Cycles • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • The prover gives the verifier a permuted version of the original graph, • Verifier can ask for either • prove that the graph is a permutation of the original graph, or • show the Hamiltonian path for the permuted graph. • one of these can be calculated easily from the original data, but to know both, to be able to respond to both possible requests, requires knowledge of the secret, i.e. the Hamiltonian path of the graph Comparative Study on Zero-Knowledge Identification Protocols

  36. Hamiltonian Cycles • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles • A must use a different permuted graph in each round, as he should never give both solutions to the same problem to B. • This protocol is theoretical because of the requirement for the graph to be extremely large, and the large memory and message size requirements it has. Comparative Study on Zero-Knowledge Identification Protocols

  37. ProtocolFamily MessageSize ProtocolIterations Amount ofCalculation MemoryRequirements Zero-knowledge large many large large Public-key large One very large large Symmetric small One small small Analysis Cryptographic protocol families and their calculation and memory requirements Comparative Study on Zero-Knowledge Identification Protocols

  38. Analysis • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles Comparative Study on Zero-Knowledge Identification Protocols

  39. Analysis • ZKP–IFP • FFS Protocol • GQ Protocol • ZKP–DLP • Schnorr Protocol • ZKP–Graph Prob. • Graph Isomorphism • Graph Coloring • Hamiltonian Cycles Comparative Study on Zero-Knowledge Identification Protocols

  40. Analysis Comparative Study on Zero-Knowledge Identification Protocols

  41. Analysis Comparative Study on Zero-Knowledge Identification Protocols

  42. Future Work • Study Digital Signatures using Zero-Knowledge Protocols • Fiat-Shamir Digital Signature Protocol • Guillou-Quisquater Digital Signature Protocol • Schnorr Digital Signature Protocol • Consider other modes of operations like parallel and offline modes in detail • Study other Zero-Knowledge protocols • Permuted Kernels Identification Scheme Comparative Study on Zero-Knowledge Identification Protocols

More Related