Zero-Knowledge Proof

1 / 15

# Zero-Knowledge Proof - PowerPoint PPT Presentation

Zero-Knowledge Proof. About proving somebody knows some secret without revealing it Interactive: between the P rover &amp; V erifier ( P and V or P eggy &amp; V ictor ) Does not give away any information about the secret (zero-knowledge)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Zero-Knowledge Proof' - diza

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Zero-Knowledge Proof
• About proving somebody knows some secret without revealing it
• Interactive: between the Prover & Verifier (P and V or Peggy & Victor)
• Does not give away any information about the secret (zero-knowledge)
• Does not allow the verifier to impersonate the prover
Secret: the key to open the door (C)

Uses cut-and-choose protocol

Enough to prove to Victor

Not enough to convince a third party (Carol) of proof’s validity

A very simple scenario

A

B

C

Graph-Isomorphism
• Peggy knows the Isomorphism between two big Graphs G1 and G2
• Peggy generates graphs H1, H2, ….Hn
• Victor asks Peggy to show isomorphism of Hi with either G1 or G2, but not both
• Why Zero-knowledge?
Nearly Zero-Knowledge proof
• Peggy has a secret number s
• Peggy’s public key is <n,v> where n is product of two large primes & v = s2 mod n
• Peggy chooses random r1, r2, r3, …, rk and passes all ri2 mod n to Victor
• For each ri2 mod n, Victor can ask either (s*ri mod n) or (ri mod n)
• Victor verifies the response from Peggy

- for x = s*ri mod n, check x2 v*ri2 mod n

- for y = ri mod n, check y2 ri2 mod n

Why does this work??
• Finding Square Root mod n as hard as factoring n
• If n has k prime factors, then x2 has 2k square roots mod n (Chinese remainder)
• So, take random x, compute s= x2 mod n
• Calculate y = (square root of s) mod n
• So, we have x & y with y2 x2 mod n
• So, (x+y)(x-y) = x2 – y2 0 mod n
Why does this work??
• If n has 2 prime factors, then x2 has 4 square roots mod n (Chinese remainder)
• Since (x+y)(x-y) = x2 – y2 0 mod n, 50% chance that neither (x+y) nor (x-y) is equal to0 mod n
• In that case, GCD of either (x+y) or (x-y) with n would be a nontrivial factor of n
• Factorization of n is possible!!!!
Impersonation
• For each ri2 mod n, Victor can ask Peggy to give either (s*ri mod n) or (ri mod n)
• Impersonator Fred can himself create pairs (rf mod n) & (rf2 mod n)
• So why not only <ri, s*ri> mod n?
• Fred can impersonate Peggy
Non-Interactive ZK Proof
• Uncertainty about “which question would be asked” is the backbone of ZKPS
• Interaction from Victor provides the random choice, or the element of uncertainty
• Use one-way (unpredictable) function as Victor surrogate
• Number of rounds must be large enough
Bit Commitment
• Alice wants to commit a bit but does not want to reveal it till some time in future
• Bob wants to make sure Alice cannot change her committed choice
• Why not simply encrypt something and give the key later?

- may find another key (it’s only a bit)

• Using symmetric key: Bob sends R, Alice commits EK{R,b} to Bob, gives up K later
Using one-way function
• Why not simply send a Hash(R,b) to Bob and later reveal both R & b?

With no R1 from Bob …

• Alice generates random-bit strings R1 & R2
• Alice sends R1 and Hash(R1,R2,b) to Bob
• Later, Alice sends (R1,R2,b) to Bob
• Bob checks R1 and the Hash(R1,R2,b)
• Why is R2 required?
Using Pseudo Random Numbers
• Bob sends a random-bit string RB to Alice
• Alice has a secret random seed for a PRNG known to both Alice & Bob
• Alice does for every bit x of Rb:
• if x = 0, send out the output of the PRNG
• If x = 1, send x  b
• Alice reveals the seed, and Bob confirms
Back to ZKPS – Ham cycle
• Peggy knows a Ham-cycle of G
• Peggy creates isomorphic graphs G1, G2, … , Gi
• Peggy encrypts the Adjacency matrix using separate keys for each cell and commits it
• As per Victor’s request, Peggy does one of the following for each of the encrypted graph H:
• Supply Bob all the decryption keys and show its isomorphism to G without giving out the cycle
• Decrypt only the edges constituting the cycle without revealing the structure of the graph
Minimum-Disclosure Proofs
• Peggy cannot cheat Victor. If Peggy does not know the proof, her chances of convincing Victor that she knows the proof are negligible.
• Victor cannot cheat or impersonate Peggy. He does not get the slightest hint of the proof, other than the fact that Peggy knows the proof. In particular, Victor cannot demonstrate the proof to anyone else without proving it himself.
Minimum-Disclosure Proof
• Zero-knowledge proofs have an additional condition to Minimum-disclosure proofs:
• Victor learns nothing from Peggy that he could not learn by himself without Peggy, apart from the fact that Peggy knows the proof.
Zero-Knowledge Proofs of Identity
• No physical tokens
• Abuses:
• The Chess Grandmaster Problem
• The Mafia Fraud
• The Terrorist Fraud
• Solution:
• Allow no communication (Faraday cage)