Zero Knowledge Proofs

1. Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal

2. Zero Knowledge Proofs • Introduction • Properties of ZKP • Advantages of ZKP • Examples • Fiat-Shamir Identification Protocol • Real-Time Applications

3. Zero Knowledge Proofs (ZKP) • Goldwasser, Micali, and Rackoff, 1985. • ZKP instance of Interactive Proof System • Interactive Proof Systems • Challenge-Response Authentication • Prover and Verifier • Verifier Accepts or Rejects the Prover

4. ZKP • Zero knowledge Transfer between the Prover and the Verifier • The verifier accepts or rejects the proof after multiple challenges and responses • Probabilistic Proof Protocol • Overcomes Problems with Password Based Authentication

5. Properties of ZKP • Completeness • Succeeds with high probability for a true assertion given an honest verifier and an honest prover. • Soundness • Fails for any other false assertion, given a dishonest prover and an honest verifier

6. Advantages of ZKP • As name Suggests – Zero Knowledge Transfer • Computational Efficiency – No Encryption • No Degradation of the protocol • Based on problems like discrete logarithms and integer factorization

7. Classic Example • Ali Baba’s Cave Alice has to convince Bob She knows the secret to open the cave door without telling the secret (“Open Sesame”). (source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)

8. Fiat-Shamir Identification Protocol • 3 Message Protocol • Alice A, the Prover and Bob B, the Verifier A  B : x = r2 mod n A  B : e  { 0,1} A  B : y = r * se mod n is y2 = x * ve ? • A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public • Prover chooses secret s relatively prime to n • prover computes v = s2 mod n, where v is the public key

9. Fiat-Shamir Identification Protocol • Alice chooses a random number r (1  r  n-1) • Sends to Bob x = r2 mod n – commitment • Bob randomly sends either a 0 or a 1 ( e  { 0,1}) as his challenge • Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or otherwise y = r*s mod n • Bob accepts the response upon checking y2  x * ve mod n

10. Fiat-Shamir Identification Protocol • After many iterations, with a very high probability Bob can verify Alice’s identity • Alice’s response does not reveal the secret s (with y = r or y = r* s mod n) • An intruder can prove Alice’s identity without knowing the secret, if he knows Bob’s challenge in advance: • Generate random r • If expected challenge is 1, send x = r2/v mod n as commitment, and y = r as response • If expected challenge is 0, send x = r mod n as commitment • Probability that any Intruder impersonating the prover can send the right response is only ½ • Probability reduced as iterations are increased • Important - Alice should not repeat r

11. Applications • Watermark Verification • Show the presence of watermark without revealing information about it • prevents from removing the watermark and reselling multiple duplicate copies • Others – e-voting, e-cash etc.

12. Products • Sky’s VideoCrypt • Analogue decoding card for satellite DirecTV descrambler used to authenticate the subscriber’s card • Uses Fiat-Shamir Zero Knowledge Protocol • NGSCB – New Generation Secure Computing Base • Zero Knowledge for code attestations

13. References [1] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography. [2] Ross Anderson, Security Engineering [3] Wenbo Mao, Modern Cryptography theory and practice [4] Don Coppersmith (Ed.), Advances in Cryptology- CRYPTO ’95 Lecture Notes in Computer Science. [5] www.rsa.com [6] Oded Goldreich, Silvio Micali and Avi Wigderson, “ Proofs that yield nothing but their validity and a methodology of cryptographic protocol design”. [7] Oren, Y., “ Properties of Zero-knowledge Proofs”. [8] A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a survey”.