Zero-Knowledge Proofs

1 / 17

# Zero-Knowledge Proofs - PowerPoint PPT Presentation

Zero-Knowledge Proofs. J.W. Pope M.S. – Mathematics May 2004. What is a Zero- Knowledge Proof?. A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Zero-Knowledge Proofs' - ganesa

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Zero-Knowledge Proofs

J.W. Pope

M.S. – Mathematics

May 2004

What is a Zero- Knowledge Proof?

A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.

This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question.

A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret.

Properties of Zero-Knowledge Proofs
• Completeness – A prover who knows the secret information can prove it with probability 1.
• Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small.
An Example: Hamiltonian Cycles
• Peggy the prover would like to show Vic the verifier that an element b is a member of the subgroup of Zn* generated by a, where a has order l. (i.e., does ak = b for some k such that 0 ≤ k ≤ l?)
• Peggy chooses a random j, 0 ≤ j ≤ l – 1, and sends Vic aj.
• Vic chooses a random i = 0 or 1, and sends it to Peggy.
• Peggy computes j + ik mod l, and sends it to Vic.
• Vic checks that aj + ik = ajaik = ajbi.
• They then repeat the above steps log2n times.
• If Vic’s final computation checks out in each round, he accepts the proof.
Complexity Theory
• The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate).
• It has been shown that all problems in NP have a zero-knowledge proof associated with them.
Bit Commitments
• “Flipping a coin down a well”
• “Flipping a coin by telephone”
• A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key.
Bit Commitment Properties
• Concealing – The verifier cannot determine the value of the bit from the blob.
• Binding – The prover cannot open the blob as both a zero and a one.
Bit Commitments: An Example
• Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy.
• Peggy commits to the bit b by choosing a random x and sending Vic the blob mbx2.
• When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x.
• Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing.
• On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction.
Bit Commitments and Zero-Knowledge
• Bit commitments are used in zero-knowledge proofs to encode the secret information.
• For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors.
• Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes.
Computational Assumptions
• A zero-knowledge proof assumes the prover possesses unlimited computational power.
• It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument.
Zero-Knowledge Proof:

Unconditional completeness

Unconditional soundness

Computational zero-knowledge

Unconditionally binding blobs

Computationally concealing blobs

Zero-Knowledge Argument:

Unconditional completeness

Computational soundness

Perfect zero-knowledge

Computationally binding blobs

Unconditionally concealing blobs

Proof vs. Argument
Applications
• Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified
• Key authentication
• PIN numbers
• Smart cards
Limitations
• A zero-knowledge proof is only as good as the secret it is trying to conceal
• Zero-knowledge proofs of identities in particular are problematic
• The Grandmaster Problem
• The Mafia Problem
• etc.
Research
• I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case?
• Possible application of methods developed by Camenisch and Michels (or maybe not?)
References
• Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451
• Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999
• Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994
• De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994
• Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992
• Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990
• Schneier, B., Applied Cryptography (2nd edition), Wiley, 1996
• Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995